Love them or hate them, passwords have become part of everyday life — from logging into email accounts to signing up for classes, accessing corporate accounts for work, and much more. We all know strong passwords are an important part of cybersecurity, and that we should use passwords that are auto-generated or complex.
Many of us, however, fail at the task. CSO online generated a Password Hall of Shame for 2020, and (yet again) the most common passwords were “12345”, “password”, and “11111”. Not exactly difficult for cybercriminals to crack.
Phishing attacks, ransomware holdups, and brute force attacks on corporate IT systems are on the rise, so now may be a good time to review how you manage employee passwords and whether it’s time to switch to Single Sign-On (SSO). Let’s take a look at how you can help protect your sensitive information and proprietary data with a better password management policy.
Password risk management comes in a variety of forms.
When you sign on to a computer system, the first line of cybersecurity defense is to authenticate that you are a user who has access to the system. There are three main means of identification or what computer people call authentication:
- Login information: referred to as “something you know,” like your mother’s maiden name or the name of your high school.
- A login object: also called “something you have,” such as a cellphone that can receive a text code.
- Something of your own being: also called “something you are,” like a fingerprint or a retina scan.
Different ways of making authentication more difficult to crack include:
- Two-factor authentication, which uses two of the above mentioned combined.
- Multi-factor authentication, which uses all three ways of authentication; such as your user name and password, combined with a text code sent to your cell phone and your fingerprint.
- Single sign-on (SSO) coordinates login to multiple applications with a single, strong authentication.
- Centralized authentication, which is a lot like SSO, but requires a user who has logged into the first application to re-enter the password even though the credentials are the same.
When trying to determine the best option for your organization, consider the password management risk combined with the level of security you think you need to protect your assets from malware.
Why password management risk mitigation starts with you
As your company matures, you will likely need to use more interconnected applications to continue to be competitive. From email to cloud storage to Software as a Service (SaaS) providers, your organization is linking and using a lot of different applications just to accomplish daily work. On a normal workday, employees are accessing many applications to get their jobs done. Each application is a potential risk to your business’ cybersecurity, especially if employees are using weak passwords or overly common passwords.
Develop a strong password policy
It’s important to make sure employees understand why they need a strong password, and can’t just use their phone number or another simple password.
Employees may falsely assume that since the company’s IT systems are protected by cybersecurity software and a vigilant IT department, their own personal password isn’t important. Therefore, most likely, the first step in mitigating password security risks is to develop a strong password policy.
- Establish clear password requirements, such as the use of uppercase and lowercase letters combined with numbers or special characters.
- Crack down on password sharing and the sharing of user accounts. Let employees know what can happen if your organization falls victim to password cracking and sensitive user information is leaked onto the web.
- Require unique passwords and passphrases for each user.
- Share examples of poor passwords and encourage employees to devise strong, secure passwords.
You don’t have to change the passwords all the time
It was previously assumed that frequent password changing increased password security and was an important security measure. As information technology has advanced, however, research has determined that frequent changing of passwords doesn’t increase security by much. So yes, corporate logins and email passwords should be changed periodically, but that period can be longer in duration than previously thought.
Make it easy for employees to remember or retrieve passwords
If you require frequently changed complex passwords, it’s very likely employees will write them down and leave them in places that are not safe, such as a note on the bottom of the keyboard. (Or maybe they will share their own passwords with co-workers.) For the sake of everyone’s sanity, it’s best to incorporate a strong password manager software solution and be as patient and supportive as possible while employees are adopting this extra step in mitigating password security risks.
How SSO helps mitigate password security risk
Single Sign-On creates a single set of login credentials that are used across multiple applications and platforms. Basically, your employees come up with one password and use that to access every application they need to do their jobs.
When an employee enters a password for the dominant application, the SSO protocol shares a web token, a piece of data created by your server that combines a key with your identification. That allows access to every application the employee needs to do his or her job. It’s sort of like a bunch of code that combines your house key with your driver’s license, and you need both to get into your house.
SSO makes your organization more secure by creating a single point of entry into your systems, a single place where password authentication takes place.
Think of your IT systems as a medieval castle with gates and doors and windows where the enemy (the cybercriminal) can enter. SSO is the digital equivalent of creating a moat around your castle, where the only access point is the protected drawbridge.
SSO helps control password security risks because it makes it more likely that employees will use strong passwords: they only have to remember one. By streamlining employee access and lowering their number of passwords, you are automatically making it easier for them to use a strong password.
How centralized authentication mitigates password management risk
Centralized authentication is often confused with SSO because both perform a similar function. Centralized authentication mitigates password management risk by consolidating login information shared across multiple applications. Unlike SSO, centralized authentication requires constant repetition of credentials.
With centralized authentication, employees have a single username and password that works across multiple applications. This means that, similar to SSO, they need to remember only a single password. With centralized authentication, however, they need to enter those credentials every time they open a new application.
What security risks come with SSO
As evidenced by the OneLogin breach back in June, SSO comes with some risk: having just one entry point means that if that is compromised, a single hacker can overwhelm your system and cause widespread damage for instance by installing ransomware.
Centralized authentication comes with a similar risk. If someone gains access to the set of credentials, the attacker can access all applications linked to that set of identification.
How two-factor authentication mitigates password security risks
Biometric authentication is getting more and more common. Even theme parks like Disney and Six Flags now incorporate a fingerprint with the use of multi-day passes. This fingerprint requirement is an example of multi-factor authentication, or “something you are.”
Two-factor authentication is rapidly becoming a necessary and common safety protocol. It requires a username and password, and a piece of additional information tied to either an object or their person.
Biometric authentication takes password management risk mitigation to the next level by requiring the use of information specific to the individual person, not just to something he or she owns. This can involve facial, fingerprint, or voice recognition.
Since you are requiring your employees to provide data that is genetically unique to each individual, this is the highest level of security you can provide your systems. Despite the sci-fi concept, the reality is that current technology makes this more accessible. Apple’s iPhone and MacBook Pro editions use fingerprints to gain access to the data on the devices. As this kind of technology becomes more prevalent, the cost will go down.
Microsoft, for instance, is phasing out all password use and switching completely to biometric authentication within the next five years. Biometric authentication may not be cost-effective for businesses at present, but it’s likely to become a predominant security technology in the future.
Two-factor authentication aids in mitigating risk by recognizing when an employee’s login credentials are being used in a location or from a computer not normally associated with that employee.
This offers two layers of security:
- There is an additional obstacle your malicious intruder needs to overcome to access your systems.
- Your employee will be aware of an attempt at unauthorized login and can change his or her password prior to the completion of the intrusion.
For most organizations, this is the most efficient and cost effective way to protect your corporate access.
Why multi-factor authentication may be the future of password management risk
Multi-factor authentication is the highest level of security an organization can invoke. In multi-factor authentication, an employee needs to have a password, object, and biometric code to login to your systems.
Protecting your systems from intrusion means creating a program that combines employee awareness with tools to protect yourselves. Determining the best way to mitigate password management risk means looking at the technologies available and understanding the ways in which they can be used within your organization. The more complex your organizational structure, the more complex your access management needs to be.
To see how you can move beyond password management in protecting your organization from security risks, read our ebook, “Cut Through Compliance Complexity With Consolidated Objectives.”
Cybersecurity and compliance management tools
As you secure a competitive spot for your business in our highly interdependent world, many tools can help keep your business stay competitive while keeping cybersecurity and compliance top priorities.
ZenGRC’s compliance, risk, and workflow management software is an intuitive, easy-to-understand platform that not only keeps track of your workflow, but also lets you find areas of high risk before those risks manifest as real threats.
Worry-free compliance management is the Zen way. For more information on how ZenGRC can enable your CMS, contact us for a demo.