Identity Management Best Practices: Addressing Password Policy Misconceptions

     

 Addressing Password Policy Misconceptions | Cybersecurity

Passwords are widely recognized as one of the weakest links in an organization’s security. In fact, 81 percent of hacking-related data breaches last year were the result of weak, default, or stolen passwords, according to Verizon’s 2017 Data Breach Investigations report.

In spite of this statistic, many companies are still using outdated and just plain bad password policies that actually leave them more vulnerable to attacks. In this blog post, we will explore how these policies put you at risk and what steps you can take to better protect yourself.

Common Password Misconceptions, Revealed

More Complicated Passwords Aren’t Always More Secure

One prevalent misconception is that passwords with mixed cases, numbers, and special characters are always going to be more secure than passwords without those features.

While it’s true that all-lowercase passwords are less secure—a large botnet can crack them in as little as 1.8 seconds—not all complex passwords are created equal. For example, substituting numbers for letters within words (such as 4Ex@mp1e) doesn’t make your password stronger. Hackers have learned to include such things in their password tables.

Moreover, if a password is mixed-case and contains letters and numbers, it still won’t do you much good if that combination isn’t random. Hackers are well-are of common keyboard patterns. In fact, the password “zaq1zaq1” made SplashData’s list of worst passwords in 2016 because the letters and numbers are in an easily recognizable pattern.

Frequent Password Changes Weaken Security

Another popular tactic is to mandate frequent password changes. Unfortunately, this often leads to end-users creating workarounds that cripple security, such as choosing weak passwords, reusing passwords, or transforming them in ways that are highly predictable to hackers. For instance, Cowboysfan#1 becomes cOwboy$sfan#21, then coWboysf@n#E1, and so on. This makes it easy for hackers to utilize social engineering techniques to learn users’ passwords, then hack into the system.

A study carried out by UNC supports this theory: Accounts were subject to mandatory password changes every three months, and it was found that 41 percent of the passwords could be broken offline in a matter of seconds by referencing previous passwords for the same accounts.

Password Policies That are Too Strict or Complex Actually Decrease Usability AND Security

You might think that implementing very strict password policies or demanding complex passwords will increase security, but that simply isn’t the case—such policies actually decrease security and usability.

Even the federal government has come to this conclusion: The latest NIST guidelines represent a drastic departure from previous password standards. They no longer require long, complex passwords, routine password changes, or password hints.

While lengthy passwords are more difficult for hackers to crack, they’re also more challenging for users to remember—after all, the average user accesses 40 accounts. As a result, users are more likely to take shortcuts, such as writing down their passwords or storing them in unencrypted spreadsheets.

In addition, enforcing strict and complex password policies forces employees to spend longer accessing the systems they need to do their jobs or to turn more frequently to the IT department for help, which wastes everyone’s time.

Even the Best Password Policies Aren’t Enough on Their Own

If you absolutely insist on using passwords, make sure you’ve put good policies into place that don’t fall into any of the misconceptions outlined above. But be aware that even the best passwords will not protect your organization against today’s threats. In fact, the most successful attacks simply trick users into giving up their passwords. In 2016 alone, over 3 billion credentials were stolen.

Most attackers these days don’t bother with brute-force methods, and why should they? There are other equally effective tactics, such as keylogging, phishing attacks, ransomware, or other social engineering tactics.

Phishing attacks are particularly effective—Verizon’s 2017 DBIR shows that 43 percent of data breaches stem from this type of attack. You need to protect your organization from those threats, as well.

Enhance Your Security with Multi-Factor Authentication

Multi-factor authentication (MFA) keeps your company safe from unauthorized access due to stolen credentials. It adds a second or third verification method in addition to passwords, rendering attacks harmless. Even better, MFA can replace passwords altogether.

There are a number of benefits to implementing MFA. Today’s MFA options are flexible: You can tailor authentication methods based on risk level using risk-based authentication. This enables your organization to increase security without negatively affecting usability.

Here are just a few of the benefits of MFA:

  • When used as a password replacement, MFA does away with countless password resets, saving time and effort for your IT department.
  • You can leverage existing security investments, such as ID cards, so MFA becomes a smart choice for your firm.
  • MFA helps you comply with regulations, such as SOX and PCI-DSS.

Bad password policies and practices weaken your organization’s security and leave you vulnerable to hackers. The reality is that if you’re going to continue using passwords to combat today’s threats, you need to have good password policies in combination with flexible, multi-factor authentication.

How to Minimize the IAM Risks Associated with Third-Party Relationships

Comments

Subscribe Here!