Passwords are your first and most basic form of threat defense. They might not be the only way to protect data but are one important factor in layered cybersecurity. Passwords are also a primary target for an attacker. Stolen passwords can be used in several attack strategies, so they should be stored and created using strategies that make them harder to crack, bypass, or steal.
With legitimate credentials to a network, an attacker could remain on a business environment for months undetected. It’s more difficult for intrusion detection systems to identify an attacker after credential theft because authentication is completed using legitimate usernames and passwords. To protect from a data breach involving passwords, your organization should follow some basic best practices.
Create Complex Passwords
When users create a password, they must take two factors into account: complexity and length. The reason for this rule is that longer and more complex passwords take too much time to crack. Simple math can explain the reason behind the necessity for complex long passwords and why they take longer to crack.
Let’s say that you allow users to create passwords using only lowercase letters and numbers. Users prefer short, memorable passwords for convenience. You can determine the number of possibilities using simple math and calculate the time to crack the password. First, we need to know the total number of possible values for each password character. The English language has 26 characters, and we use a base 10 number system (i.e., 0-9). Because every password value could be a lowercase letter or one of 10 numbers, the user’s password has a total of 36 possibilities for each character.
A user decides to make a five-character password using lowercase letters and numbers, so we can determine the number of possible permutations of a five-character password with 36 possibilities (26 letters and 10 numbers) for a single character using the calculation 365. The total number of password value possibilities is 60,466,176. This might seem like a large number, but it requires very little time for a computer. For a five character password with one number and all lowercase letters, it takes approximately 10 seconds for a computer to iterate through all possible combinations.
As you add more possibilities including uppercase letters, special characters, and a longer password length to a password, you increase the time it takes for a computer to crack it. For example, the password ekdy4U*dnsiS* would take a modern computer about 31 years to crack, so it’s improbably “guessable” for an attacker. Notice that this cryptographically secure password has two uppercase letters and two special characters. These extra values create randomness, or what is referred to as “entropy” in password cracking. More entropy increases the time necessary to crack a password by brute force.
Most applications lock user accounts after too many failed attempts to authenticate, so brute-force attacks are improbable. However, stolen password hashes let attackers run cracking tools locally for as much time as necessary. Stolen passwords could let an attacker spend enough time to crack some passwords, so it’s important for application developers to follow best practices when storing passwords and employ a hashing algorithm that is invulnerable to collisions.
Unique Passwords Across All Applications
Your business system might have the best cybersecurity infrastructure, but users with the same passwords across multiple applications add tremendous risk. Other websites might store passwords in plaintext or poorly secure them. Hashing is common with password storage, but they must be salted with a unique value. A salt is a unique value added to a password before hashing it. The added salt increases the entropy of a password. The more entropy, the harder to crack the password.
Let’s say that a user signs up on a site with poor password storage practices. A SQL injection vulnerability gives a hacker full access to the database, and the hacker downloads a table with password values and their associated usernames. The site uses email addresses for usernames, and some users sign up to sites with their work email address. With passwords and email addresses, an attacker can now attempt to authenticate into your business application with a list of email accounts and passwords.
Administrators can stop this attack by requiring users to have unique strong passwords for the business application. It’s unlikely that a cryptographically strong password can be cracked, but some poorly secure site applications store passwords in plaintext. This habit invalidates the security of a password on your application, so users should be encouraged to use a unique password on all applications to avoid a compromise of their business accounts.
Passphrases Over Passwords
Users create poor passwords because complex ones are difficult to remember. A better option is to use a password with several phrases crafted with special characters and numbers. For example, mydog349 is cryptographically insecure, but the password PurpleDog$Jumping@Over#Stars! is complex but easier to remember. The special characters are necessary for entropy, but users can replace their own choice of letters with special characters to keep the same memorable phrases.
Length of the password still matters, so users can choose a handful of words that they can remember. Another option is to generate random characters and use a password vault, which is covered later in this article. Best practices for password length depend on the application and the sensitivity of data stored, but most professionals suggest at least 10-12 characters.
Enable Two-Factor Authentication
Even with the best cybersecurity, humans are your weakest link. Phishing is incredibly effective for cyber-criminals, so it’s one of the primary attack strategies to install malware on a local network or steal credentials from privileged users. The most cryptographically secure password is rendered ineffective if users fall for phishing attacks.
To combat the consequences of phishing, two-factor authentication (2FA) adds a layer of security to stop data breaches after a user discloses their credentials to a third party. The third party could attempt to authenticate into an application using stolen credentials, but the attacker would need the secondary PIN. Users should still change their password after disclosing a password, but the immediate effects of stolen credentials would be neutralized.
Note that some cyber-criminals have improved their strategies and now use social engineering to trick users into divulging their 2FA PIN or accepting a 2FA push notification confirmation. Some attackers call users to trick them into divulging their PIN, but others perform a strategy called “multi-factor authentication fatigue,” which happens when users receive too many push notification confirmations and eventually accept the requests. Two-factor infrastructure using push notification is convenient, but some users simply click a button to confirm authentication without hesitation. Cyber-criminals will send multiple requests or use social engineering to convince users to click the 2FA confirmation button even when it isn’t actually them authenticating into an application, effectively bypassing 2FA protections.
Any 2FA infrastructure should warn users not to divulge their PIN or never click a 2FA confirmation button unless it’s during their own authentication request. 2FA using text messages should include an alert warning users never to divulge their PIN. Employee security awareness training should also include information about multi-factor fatigue and social engineering to bypass 2FA.
Regular Password Updates
Policies forcing users to change their passwords every 30, 60, or 90 days reduces the window of opportunity for an attacker to use stolen credentials. Attackers only need one successful phishing email to steal user credentials, and they can perform lateral moves across the network to elevate privileges. In the event of failures from monitoring services and 2FA, forcing users to change their passwords regularly minimizes the damage from credential theft.
Let’s say a user falls for a phishing email and divulges their credentials. Advanced persistent threats can remain undetected for months, but an attacker would only have a limited time to remain in the environment before the user must change their password again. Note that most sophisticated cyber-criminals install malware or create backdoors to bypass the need for user credentials, so this strategy limits damage but does not completely eliminate it.
Phishing Security and Awareness Training
With humans being the weakest link in an organization, email is the best attack vector. Email-based threats are the start of many of today’s largest data breaches, and it only takes one high-privileged user to install ransomware, trojans, rootkits and other malware on a local machine or on the network. These threats are the most dangerous for an organization and data protection.
Organizations should layer their security, and two strategies to stop phishing are incorporating email filtering solutions and training employees to recognize phishing messages. In addition to phishing identification, employees should be trained to identify social engineering, which is often used in conjunction with phishing.
Email filters identify phishing and use artificial intelligence to detect malicious messages and attachments. The filtering system quarantines flagged messages for future review instead of leaving detection to users. Email cybersecurity eliminates the human factor that cyber-criminals depend on for their attacks. Web content filters are also useful to block links to malicious domains if email security returns a false negative.
Security awareness training is a secondary layer of phishing protection. Users receive training to identify common phishing attacks and understand the repercussions should they fall for these attacks. Training is a failsafe in case email filters do not successfully block phishing messages and malicious attachments. It should never be the sole strategy.
Use a Password Manager
Users should create complex lengthy passwords, and passwords must be unique for every account. Everyone within the organization could conceivably have several passwords, so they can easily be forgotten when passwords contain random phrases and special characters. As a result, users might use insecure means to save their passwords like writing them down where others can see passwords or storing them in a text file on their local machine, leaving them open to theft if the machine is compromised.
Password managers can be installed on smartphones and other mobile devices, and users can install them on their desktop browser for convenience. Choose a password manager that centralizes vaults so that users can share their passwords in a safe way and accounts can be deactivated when users are no longer employed with the organization.
Secure Your Wi-Fi Network
If your business offers free Wi-Fi to visitors, it should be segmented from the main network. Never connect guest Wi-Fi networks to the internal network, and employees should never connect their workstations or mobile devices to the business guest network. Should an attacker connect to Wi-Fi with access to the internal network, it’s possible to access sensitive data as an authenticated user. Traffic from a guest Wi-Fi network should be blocked by firewalls, which is required for some regulatory standards such as HIPAA. As an added layer of security, businesses should use web content filters to block access to malicious sites.
Most businesses have an internal Wi-Fi network as well, and this network should be protected using strong passwords with the latest connection security. In 2018, WPA3 was introduced and WPA2 deprecated. The challenge is that older devices might not support WPA3, so organizations are forced to enable WPA2 connection security. Use the WPA3 Wi-Fi connection standard when possible and only use older standards if necessary.
WPA3 has protection from brute-force password attacks, but organizations should always use strong passwords for Wi-Fi connectivity. Strong passwords interfere with brute-force dictionary attacks and make it difficult to crack the Wi-Fi password and gain access to the account.
Lock Devices When Not Attended
Smartphones, tablets, and workstations should all be locked when employees are not using them. To unlock devices, users should need a passcode or enter a password on their desktop. Network administrators can force desktops to lock when it experiences no keyboard or mouse activity, but mobile devices are a bit more difficult. Corporations can require users to set passcodes to their mobile devices in their BYOD (bring your own device) policies.
Desktops should be locked after inactivity even though they are located in the business office. When devices aren’t locked during inactivity, visitors in the office could see sensitive information on the monitor, and insider threats could use the unlocked desktop for nefarious purposes. Insider threats with access to an unlocked desktop could send emails or steal data under the authenticated user, hiding their identity from monitoring systems. High-privileged users are especially dangerous targets since they have access to sensitive data on the network.
Mobile devices should also have locking mechanisms when no activity is detected. Stolen mobile devices are vulnerable to data theft, but locked phones with encrypted storage are protected from this. All major operating systems allow administrators to set local drive encryption to protect files from data theft after a device is lost or stolen. Administrators can also consider remote wiping applications to delete data from a stolen or lost device.
Passwords Are Your First Defense But Not Your Only Defense
Following password best practices is critical to your corporate cybersecurity, but it’s not your only defense. Other layers of security are still necessary including risk management, monitoring, intrusion detection and prevention, identity management, data access controls, and other infrastructure. Although password policies aren’t your only defense, they are your first defense against attackers and stop some low-level attacks on your environment.
