Love or hate them, passwords have become part of everyday life — from logging into email accounts to signing up for classes, accessing social media accounts, and much more. Strong passwords are essential to cybersecurity; we should use auto-generated or complex passwords.
Many of us, however, fail at the task. CSO online generated a Password Hall of Shame for 2020, and (yet again) the most common passwords were “12345”, “password,” and “11111”. It’s relatively easy for cybercriminals to crack.
Phishing attacks, ransomware holdups, and brute force attacks on corporate IT systems are on the rise, so now may be a good time to review how you manage employee passwords and whether it’s time to switch to Single Sign-On (SSO). Let’s delve into how you can bolster your cybersecurity posture by adopting a more effective and secure password management strategy.
What is password security?
Password security is the foundation of online safety, protecting your accounts and sensitive information from cyber threats. It involves creating strong, unique passwords with a mix of characters and uppercase letters, avoiding common words, and refraining from password reuse.
Employing password managers like LastPass can simplify this process. Multi-factor authentication adds an extra layer of protection, while awareness of phishing and social engineering threats is crucial.
As cyberattacks surge, robust password security is vital for individuals and organizations, playing a pivotal role in overall cybersecurity posture and proactive cyber risk assessment.
Why is password security important?
Password security is of paramount importance in the realm of cybersecurity due to its role in safeguarding your digital identity and sensitive information. Here’s why it’s crucial:
- Protection Against Hackers and Cybercriminals: Passwords are the initial barrier against hackers and cybercriminals attempting to gain unauthorized access to your online accounts. A robust and unique password is your first line of defense.
- Preventing Data Breaches: Good password security practices can help prevent data breaches. These security breaches can expose personal information, financial data, and other sensitive details that could be used maliciously.
- Identity Theft Mitigation: Identity theft is a significant concern in the digital age. Secure passwords can mitigate identity theft risk, ensuring your personal information remains confidential.
- Secure Online Accounts: Your online accounts, including email, social media, bank accounts, and more, often contain a treasure trove of personal and financial information. Password security ensures that the precise counts remain safe from unauthorized access.
- Avoiding Weak Passwords: Weak passwords, like “qwerty” or “password,” are the most common and easily exploited. Different password security practices help users avoid simple passwords susceptible to brute force and dictionary attacks.
- Preventing Credential Stuffing: Reusing passwords across multiple accounts is risky and exposes you to credential-stuffing attacks. Hackers who obtain your password from one site can use it to access other charges if the password is reused.
- Preventing Social Engineering: Cybercriminals often employ social engineering tactics to manipulate users into revealing their passwords. Strong password security practices help users recognize and avoid such scams.
Password security protects your digital life, privacy, and financial well-being. It is a fundamental component of cybersecurity that helps thwart cybersecurity threats, prevent unauthorized access, and maintain the integrity of your online accounts and personal information.
Password risk management comes in a variety of forms
When you sign on to a computer system, the first line of cybersecurity defense is to authenticate that you are a user who has access to the system. There are three primary means of identification or what computer people call authentication:
- Login information: referred to as “something you know,” like your mother’s maiden name or the name of your high school.
- A login object: also called “something you have,” such as a cellphone that can receive a text code.
- Something of your being, also called “something you are,” like a fingerprint or a retina scan.
Different ways of making authentication more challenging to crack include:
- Two-factor authentication, which uses two of those mentioned above combined.
- Multi-factor authentication uses all three ways of authentication, such as your username and password, combined with a text code sent to your cell phone and your fingerprint.
- Single Sign-On (SSO) coordinates login to multiple applications with a single, strong authentication.
- Centralized authentication, like SSO, requires users who have logged into the first application to re-enter the password even though the credentials are the same.
When determining the best option for your organization, consider the password management risk combined with the level of security you think you need to protect your assets from malware.
Why password management risk mitigation starts with you
As your company matures, you will likely need to use more interconnected applications to remain competitive. From email to cloud storage to Software as a Service (SaaS) providers, your organization links and uses many applications to accomplish daily work. On a typical workday, employees access many applications to complete their jobs.
Develop a strong password policy
It’s essential to ensure employees understand why they need a strong password and can’t just use their phone number or another simple password.
Employees may falsely assume that their password isn’t important since the company’s IT systems are protected by cybersecurity software and a vigilant IT department. Therefore, most likely, the first step in mitigating password security risks is to develop a strong password policy.
- Establish clear password requirements, such as using uppercase and lowercase letters combined with numbers or special characters.
- Crackdown on password sharing and the sharing of user accounts. Let employees know what can happen if your organization falls victim to password cracking and sensitive user information is leaked onto the web.
- Require unique passwords and passphrases for each user.
- Share examples of poor passwords and encourage employees to devise solid and secure passwords.
You don’t have to change the passwords all the time
It was previously assumed that frequent password changing increased password security and was necessary. As information technology has advanced, however, research has determined that frequent changing of passwords doesn’t increase security by much. So yes, corporate logins and email passwords should be changed periodically, but that period can be more extended than previously thought.
Make it easy for employees to remember or retrieve passwords
If you require frequently changed complex passwords, employees will likely write them down and leave them in unsafe places, such as a note on the bottom of the keyboard. (Or they will share their passwords with co-workers.) For everyone’s sanity, it’s best to incorporate a strong password manager software solution and be as patient and supportive as possible. At the same time, employees adopt this extra step in mitigating password security risks.
How SSO helps mitigate password security risk
Single Sign-On creates a single set of login credentials used across multiple applications and platforms. Your employees make one password and use it to access every application they need to do their jobs.
When an employee enters a password for the dominant application, the SSO protocol shares a web token, a piece of data created by your server that combines a key with your identification.
SSO makes your organization more secure by creating a single entry point into your systems, where password authentication takes place.
Think of your IT systems as a medieval castle with gates, doors, and windows where the enemy (the cybercriminal) can enter. SSO is the digital equivalent of creating a moat around your castle, where the only access point is the protected drawbridge.
SSO helps control password security risks because it makes employees more likely to use strong passwords: they only have to remember one. By streamlining employee access and lowering their number of passwords, you are automatically making it easier for them to use a strong password.
How centralized authentication mitigates password management risk
Centralized authentication is often confused with SSO because both perform a similar function. Centralized authentication mitigates password management risk by consolidating login information shared across multiple applications. Unlike SSO, centralized authentication requires constant repetition of credentials.
With centralized authentication, employees have a single username and password that works across multiple applications. This means that similar to SSO, they need to remember only a single password. With centralized authentication, however, they must enter those credentials every time they open a new application.
What security risks come with SSO
As evidenced by the OneLogin breach back in June, SSO comes with some risk: having just one entry point means that if that is compromised, a single hacker can overwhelm your system and cause widespread damage, for instance, by installing ransomware.
Centralized authentication comes with a similar risk. If someone gains access to the set of credentials, the attacker can access all applications linked to that set of identification.
How two-factor authentication mitigates password security risks
Biometric authentication is getting more and more common. Even theme parks like Disney and Six Flags now incorporate a fingerprint using multi-day passes. This fingerprint requirement is an example of multi-factor authentication, or “something you are.”
Two-factor authentication is rapidly becoming a necessary and common safety protocol. It requires a username and password and a piece of additional information tied to either an object or a person.
Biometric authentication takes password management risk mitigation to the next level by requiring information specific to the person, not just something they own. This can involve facial, fingerprint, or voice recognition.
Since you require your employees to provide data genetically unique to each individual, this is the highest level of security you can provide your systems. Despite the sci-fi concept, the reality is that current technology makes this more accessible. Apple’s iPhone and MacBook Pro editions use fingerprints to access the data on the devices. As this technology becomes more prevalent, the cost will decrease.
Microsoft, for instance, is phasing out all password use and switching entirely to biometric authentication within the next five years. Biometric authentication may not be cost-effective for businesses, but it’s likely to become a predominant security technology.
Two-factor authentication aids in mitigating risk by recognizing when an employee’s login credentials are being used in a location or from a computer not generally associated with that employee.
This offers two layers of security:
- There is an additional obstacle your malicious intruder needs to overcome to access your systems.
- Your employee will be aware of an attempt at unauthorized login and can change their password before completing the intrusion.
This is the most efficient and cost-effective way to protect corporate access for most organizations.
Why multi-factor authentication may be the future of password management risk
Multi-factor authentication is the highest level of security an organization can invoke. In multi-factor authentication, employees must have a password, object, and biometric code to log in to their systems.
Protecting your systems from intrusion means creating a program that combines employee awareness with tools to protect yourself. Determining the best way to mitigate password management risk means looking at the technologies available and understanding how they can be used within your organization. The more complex your organizational structure, the more complex your access management needs to be.
To see how you can move beyond password management in protecting your organization from security risks, read our ebook, “Cut Through Compliance Complexity With Consolidated Objectives.”
Maintain password management best practices with ZenGRC
As you secure a competitive spot for your business in our highly interdependent world, many tools can help keep your company competitive while keeping cybersecurity and compliance top priorities.
ZenGRC’s compliance, risk, and workflow management software is an intuitive, easy-to-understand platform that keeps track of your workflow and lets you find areas of high risk before those risks manifest as real threats.
Worry-free compliance management is the Zen way. For more information on how ZenGRC can enable your CMS, contact us for a demo.