Nobody likes passwords, but you have to put up with it. Because, despite predictions, the password is not dead. Attempts to replace it with biometrics such as facial recognition technology and fingerprints have failed, so many are reverting to the good old (admittedly frustrating) password.
Many experts recommend using at least 8-12 characters with at least three types of characters, changing passwords regularly, and blocking account access after five or fewer incorrect attempts. But these recommendations are at best incomplete, at worst completely false! And anyone who still follows these outdated rules ends up increasing their risk level, not decreasing it. What’s more, according to Verizon’s latest Data Breach Investigation Report (DBIR), nearly 50% of observed data compromises were due to stolen passwords. However, one successful compromise of company data is enough to compromise millions of usernames and passwords.
Therefore, companies should understand that a strong password policy is the best line of defense against unauthorized access to their critical infrastructure, at least for now. But then what are the best practices and rules for using passwords for deployment?
15 best password management practices
1. Create a long and complex passphrase. The password is considered strong of eight characters, with uppercase and lowercase letters, numeric values, and symbols. In the United States, NIST (National Institute of Standards and Technology) recommends creating long passphrases that are easy to remember but harder to crack with 64 characters, including spaces.
2. Encrypt passwords. Encryption ensures that even if stolen by cybercriminals, passwords remain secure. Your best bet is to choose irreversible end-to-end encryption.
3. Apply two-factor authentication. In addition to traditional identifiers – login + password – users must verify their identity by entering a unique code received on a smartphone or using a personalized USB token.
4. Add extended authentication methods. As part of multi-factor authentication, it is possible to replace biometric verification methods with passwords. Thus, the central system can recognize employees by their face, fingerprint, voice, iris or pulse.
5. Test password. There are online password strength testers. A tool offered by Microsoft helps generate passwords that are harder to crack.
6. Avoid dictionary words. Some hackers use sophisticated programs that can look up tens of thousands of dictionary words in multiple languages. Therefore, it is best to avoid passwords containing dictionary words.
7. Don’t use the same password for multiple accounts. This precaution is intended to prevent subsequent hijacking of other accounts with the same IDs in the event that the account is hacked.
8. Secure access to your smartphone. It is recommended that you secure your smartphone to choose a strong password and/or use face or fingerprint recognition.
9. Avoid regularly changing personal passwords. A practice that has become widely known in recent years is no longer relevant today. NIST now recommends against mandatory personal password rotation (this does not apply to privileged identities). For convenience, users simply repeat the same passwords or write them down somewhere, afraid to forget them. Therefore, NIST recommends asking employees to change passwords only when there is a proven risk, threat, or compromise.
10. Change passwords every time an employee leaves. It is not uncommon for a disgruntled ex-employee to rebel against the company he had to leave. Therefore, it is better to systematically change passwords at each exit.
11. Protect privileged user accounts. Privileged access management software is available to protect the passwords of privileged accounts. Unlike personal passwords, privileged identifiers must be changed regularly, even after each use of identifiers that give access to top-secret information. It is also better to enter these identifiers directly so that the user cannot read them.
12. Disable as much as possible. You should always disconnect from apps that you no longer use.
13. Don’t store passwords. Any time you write down a password or save it somewhere, there is a risk that the information can be stolen and used to harm the user.
14. Above all, don’t neglect safety. If a program installed by a hacker is spying on what is typed on the keyboard, nothing will help. To counter these attempts, there are state-of-the-art anti-malware and vulnerability management solutions that prevent and mitigate breaches through which cybercriminals can enter the environment.
15. Use personal or privileged (corporate) password managers. With a password manager, you only need to remember one password.
Passwords have changed little over time, while password management has come a long way. Weak, easily cracked or stolen passwords are one of the main vectors for data compromise. Therefore, companies are highly interested in reviewing and improving their password security and password management policies. The best practices here are to create strong password security rules and strengthen protection against unauthorized access.