End-user guidelines for password security can keep you out of trouble and can even save your reputation and job. Passwords remain a popular security control for authenticating and authorizing access to online resources. But if you do not follow proper end-user guidelines for password security, you are at serious risk.
There are many strong opinions on password security, as there are possible passwords. Different enterprises draw different lines between acceptable and unacceptable behaviors in password security. Users can consider a range of best practices when using password-secured systems.
Passwords are in use everywhere as a form of authorization mechanism. Meanwhile, the world of security keeps evolving. What enterprises consider secure today deprecates and gets compromised tomorrow. Passwords remain a weak link and a source of a wide range of cybersecurity vulnerabilities.
Today, there is an increasing new wave of phishing attacks aiming to dupe users and steal their passwords. Password stealers hit individuals when they download malicious documents in phishing emails that have affected tens of millions of people. Besides, hackers deploy browser extensions and other malicious programs to hunt login data that grants them access to multiple systems and applications a victim is attached to.
As a result of these attack trends, users and system developers must stay knowledgeable about password security best practices and trends.
Despite heightened awareness of password security, many users continue to reuse passwords and rarely change them. Though 91 percent of end-users profess to understand the risks of using the same access credentials across multiple accounts, an online security survey by Google in partnership with Harris Poll found that password reuse is still a common practice. Fifty-two percent of users reusing the same password for multiple accounts. Only 35 percent use a unique password for all accounts. Surprisingly, 13 percent of end-users reuse the same password for all their accounts.
Microsoft analyzed a database of three billion publicly leaked credentials to identify users who reused passwords. Their assessment revealed that 44 million Microsoft users reused login data in the first three months of 2019. Once a third-party service experiences a data breach leading to the loss of users’ credentials, it inadvertently puts other accounts at risk, even in situations where an individual used a complex password.
Default and easy-to-guess passwords, such as 12345, admin1234, have resulted in personal and corporate account compromises lately. A recent SplashData’s Worst Password list drawn from more than five million stolen passwords revealed that the top two worst and most popular passwords were “123456” and “Password.” Other usual suspects in the list include “qwerty,” “football,” and “iloveyou.”
The Payment Card Industry Data Security Standard (PCI DSS) encourages end-users to avoid using vendor-supplied defaults for passwords and other security parameters.
Failure to change passwords is a gloomy issue in password security. A recent survey found that 53 percent of end-users confess to not changing their passwords in the past 12 months, even though they were aware of the risks. Six in ten of the respondents polled rarely change their password over time. Funnily enough, 15 percent of end-users say they would instead do a household chore, while 11 percent would rather sit in traffic than change their passwords.
However, as NIST recommends, organizations should use the widely-adopted practice of regularly changing passwords sparingly. The argument against shorter periods of changing passwords lies with the human trait to select a password sequence or patterns to ease the workload of remembering complex passwords every once in a while. The Payment Card Industry Data Security Standard (PCI DSS) requires that passwords must expire every 90 days.
· Using Names of People, Places, Pets
End-users should avoid using passwords that reflect the name of people, pets, date of birth, or their addresses. Hackers can research a victim and discover the personal details online, which they use to guess login data. Even slight variations of such names do not guarantee reliable password security.
Password security neglect creates massive cybersecurity risks and undermines the overall cybersecurity posture for an enterprise or individual.
A secure password should contain at least eight characters in length, including upper and lowercase alphabetic characters (A-Z, a-z), numerical character (0-9), and special characters. NIST Special Publication 800-63B recommends the following: “Memorized secrets SHALL be at least eight characters in length if chosen by the subscriber. All printing ASCII characters, as well as the keyboard space, SHOULD be acceptable in memorized secrets.” NIST also suggests using passwords up to 64 characters in length.
Only 24 percent of end-users use a password manager, despite many admitting they need an efficient method to track passwords. Organizations and individuals must ensure they have appropriate password management tools to enforce password best practices. End-users must ensure that a password manager leverages strong encryption and requires authentication before granting access. A password manager should have a master password and, if possible, a two-factor authentication.
According to Microsoft, a multifactor security measure for user accounts blocks 99.9 percent of all attacks. Currently, MFA bypass attempts are so rare that security teams do not have statistics on this type of threat. NIST Special Publication 800-63B recommends using a multifactor authenticator that requires two factors to execute a single authentication event. Some of the MFA solutions that offer an additional protection layer include a combination of two or more of the following factors:
- Something you know – passwords, PIN, code words
- Something you have – keys, smartphones, smart cards, token devices, USB drives
- Something you are – fingerprints, palm scans, voice recognition, retina scans, iris scans, facial recognition
End-users should avoid using a series of words found in a standard dictionary. Instead, end-users should consider using passphrases comprising a sequence of words with numeric and symbolic characters inserted throughout. Passphrases, such as a favorite quote or lyrics with special and numerical characters, are easy to remember for the user, and complex for an attacker to crack. Additionally, the use of blank spaces in the multi-word phrase enhances password security.
UK’s National Cyber Security Center (NCSC) recommends using three random but memorable terms in a password to reduce the risk of cybercriminals breaching an account. “Using hard-to-guess passwords is a strong first step, and we recommend combining three random but memorable words,” states Ian Levy, NCSC Technical Director. “Be creative and use words memorable to you, so people can’t guess your password.”
LastPass survey shows that password sharing is rampant, with 95 percent of respondents admitting to sharing six passwords averagely with other people. Typically, users share passwords with their spouse and children, with the study showing that 76 percent of individuals share their login credentials with their significant other.
End-users seemingly have good reasons for sharing passwords since it enables multiple individuals to access an account. In some cases, employees leave passwords on sticky notes under keyboards to allow co-workers to log into their work accounts in case of an emergency. Managers, similarly, share their login details so they can delegate tasks to other employees. LastPass survey discovered that 61 percent of employees would share a corporate password over a personal one.
The most frequently shared passwords include Wi-Fi, movie streaming, financial accounts, email and communication, social media, work-related, and utilities. Seventy-three percent of users in all likelihood will not resent their password after sharing it.
Sharing reused passwords increases the threat a single stolen password poses for business. Avoid sharing passwords with others, including colleagues, friends, and family members. A well-intended password sharing is substantially a security threat to systems and confidential information.
As a rule, end-users should avoid writing down their passwords and storing them in insecure locations. In some instances, it might be acceptable to write the password on a piece of paper to make it available for everyone who is authorized to access the system or a device. However, end-users should only use that approach if no outsiders enter the office or home. More preferably, users should hide sticky notes with passwords. CNET recommends that end-users should keep the sheet of paper in a safe place, like a locked desk drawer or cabinet, and out of eyesight.
End-users make the task of memorizing multiple account login credentials possible by storing the information in browsers to log them in automatically. However, this seemingly safe shortcut introduces vulnerabilities that hackers can exploit. Using automatic logon functionality on sites and applications negates the value of using a password. If a malicious actor gains physical access to a device with configured automatic logins, they can easily compromise the system and access sensitive information.
Although it might seem a good idea to avoid typing individual passwords every time an end-user accesses an account, the action is like unlocking the front door to a house and leaving it wide open.
· Proscribe Password Hints
Sites and online accounts use password hints to help end-users remember their login credentials. However, this measure can undermine password security. It is customary for users to set clues that make it easy for them, as well as for malicious cyber actors, to determine the password. Efficaciously, NIST has outlawed the use of knowledge-based authentication questions, such as what street did you grow up on, which hackers can effortlessly discover online.
· Use a Password Blacklist
Undoubtedly, hackers can crack user-generated passwords effortlessly using advanced password hacking tools. Fortunately, end-users can minimize their exposure by checking login credentials against a compromised list. For instance, the NCSC publishes the top 100,000 most hacked passwords that users can avoid while signing up on online sites. Third-party password filtering services provide a more comprehensive list comprising of billions of previously compromised passwords. Vendors provide tools that scan Active Directory to find out the accounts using weak or blacklisted passwords.
You can also monitor your passwords to find if hackers have leaked them through a data breach. Mozilla’s Firefox Monitor and Google’s Password Checkup show users which of their email addresses and login details hackers have compromised in a cyber incident.
Beyond any doubt, end-users still do not seem to adopt better password hygiene. Since security experts tie 80 percent of hacking-related breaches to stolen or reused credentials, it is essential to secure passwords. This end-user guideline encourages individuals and enterprises to take password security more seriously to mitigate cyber risks.
I am a cyber security professional with a passion for delivering proactive strategies for day to day operational challenges. I am excited to be working with leading cyber security teams and professionals on projects that involve machine learning & AI solutions to solve the cyberspace menace and cut through inefficiency that plague today’s business environments.