As the landscape of IT expands, passwords keep multiplying, and more passwords need to be protected. Although passwords remain as one of the most secure methods of authentication available, they are exposed to security threats, especially when mishandled.
Password management is the process of securing and managing passwords the whole time they are utilized through a set of sustainable practices. These set of principles need to be followed by users while storing and managing passwords to secure passwords as much as they can to prevent unauthorized access.
The Common Threats in Password Management
As the number of web services used by users of this digital era increases, the number of cybercrimes has also been increasing exponentially. This is when a centralized password management routine becomes more crucial, as it is the first line of defense for sensitive information.
Some threats to protecting our passwords include:
- Login spoofing. Passwords are illegally collected through a fake login page by cybercriminals. Users are led to a page that looks like the original site or presented with an ordinary-looking login prompt for username and password, which is actually a malicious program.
- Sniffing Attack. Passwords are stolen using a sniffer, which is an application aimed at capturing network packets. This type of illegal network access usually uses tools like key loggers.
- Shoulder Surfing Attack. This is when passwords are stolen when someone types them, usually seen through a micro-camera.
- Brute force attack. Cracking a password by using an automated tool that repeatedly tries password combinations until the correct one is found.
- Data Breach. Stealing login credentials and other sensitive data directly from the website database.
Types of Password Management
Password management can be classified into personal and enterprise. Personal password management is based on an individual and has a set of security practices aimed at protecting a user’s personal information.
Enterprise password management, also known as privileged password management, is a vital part of any organization’s IT security management and is focused on protecting the credentials of corporate accounts. These accounts with different levels of privilege are often stored in a repository with stronger security measures.
The Importance of Updated Password Management Policies
The classic “good” password policy advice has slowly become outdated and incomplete. Users and companies that only follow the policy might be putting their computer security at risk.
In a 2018 study by Verizon through its Data Breach Investigations Report, it reported that 81% of hacking-related data breaches involve either stolen or weak passwords. Businesses must accept that a strong password policy is their best line of defense against unauthorized access.
Most users understand that security risks occur because of easy to guess passwords. By encouraging users to create strong, secure passwords and learning to store and utilize them properly, password security will increase significantly. Here are some modern password security policies and practices that organizations should follow:
Here are some modern password security policies and practices that organizations should follow:
1. Use 2-Factor Authentication of Multi-Factor Authentication
A password is a single factor authentication. By layering on top of it with one or two more levels of authentication (this also depends on the type of account and information the password is protecting) it will serve as additional security controls.
2. Create Long and Complex Passwords
The strength of a password depends on how easily a cybercriminal can hack a password using a brute force or cracking attack. A password should be unique but not guessable. Strong passwords are considered over eight characters and made up of both upper and lowercase letters, numbers, and symbols.
The US National Institute of Standards and Technology (NIST) recommends creating long passphrases that are easy to remember but difficult to crack. A best practice is to generate passwords of up to 64 characters, including spaces.
3. Use a Password Manager
When using a password manager, only one password needs to be remembered. The password manager stores and even create passwords for different accounts, automatically signing you in when you log on.
A password manager helps track how long a password has been used and makes the user know what additional security controls have been applied. It also helps generate complex passwords for all accounts and saves them. This means that whenever a website or app is being used, the user can copy the password from the password managers.
Password managers are designed for users to help them access all their passwords in an encrypted format that is no accessible to hackers or malicious software. They can offer convenience while providing protection and utmost privacy.
4. Apply Password Encryption
Encrypt any critical information and do not trust anyone with passwords. Consider end-to-end encryption that is non-reversible. In this way, passwords are protected in transit over the network.
5. Avoid Periodic Changes of Personal Passwords
NIST advises the public to not use a mandatory policy of password changes for personal passwords. A best practice is to ask employees for password change only in case of potential threat or compromise.
For privileged passwords, regularly rotate the passwords as frequently required, at least between 6 and 9 months. The more sensitive the password, the more frequently it should be rotated.
6. Use a Privileged Password Manager
With privileged password management solutions, an organization can create, share, and automatically change enterprise passwords. User permissions are assigned at every level and passwords can be tracked with full audit reports.
Account management can improve insights into vulnerability assessment, virtual environment security, identity governance and administration, and behavior analytics. By paying attention to an organization’s privileged account security, it will be able to safeguard it from breaches in the most effective way possible.
As the standard for cybersecurity increase and its rules and regulations expand, the process of using outdated password management solutions, especially to privileged accounts, is simply indefensible.
Customers and clients want the best security solutions for their investments, and it starts by making sure that they have a rigid first line of defense. Password management systems will make an organization more secure, and will greatly lower its risk of getting compromised.