Widely recognized as one of the weakest links in any security posture, passwords continue to be the primary focus of cyberattacks and these attacks are on the rise. For example, phishing attacks jumped 220% during the pandemic, and credential stuffing attacks hit 34% of organizations last year. On top of that, between 2019 and 2021, account takeover (ATO) attacks increased by more than 300%.
Cybercriminals like passwords because they are easier to crack than other defense mechanisms. Hackers don’t have to break through firewalls or find software vulnerabilities to gain entry and install malware. Password hacking toolkits are readily and cheaply available, meaning hackers can run brute force or dictionary attacks from the comfort of their armchair. Full account takeover also provides access to easily monetizable data such as personally identifiable information (PII) or payment details.
Password Security Best Practices
For organizations that rely on passwords, there are a number of password security best practices that can be deployed both in personal and professional settings. Here, we’ll take a look at the most effective of these password security best practices, which can at least reduce the possibility of a password being compromised.
1. Use Longer Passwords
As this research from Hive Security shows, password length is directly correlated to the length of time a hacker would take to brute force a hashed password. While there are variables related to the processing power available to the hacker and the strength of the hashing algorithm, one constant remains: the longer a password is, the longer it will take to be cracked. Password guidelines set by the National Institute of Standards and Technology (NIST) require a minimum password length of 8 characters and recommend 64-plus.
2. Don’t Focus On Password Complexity
Along with password length, you often hear recommendations to use complex passwords (including special characters, capitalization and numbers) in order to increase the difficulty of brute forcing a password. Theoretically, mixing upper and lower case, using numbers and adding special characters like punctuation marks and other symbols would significantly add to the potential options a hacker needs to run through. However, the NIST guidelines actually say not to require complex passwords as they often end up being easier to crack. People will only comply minimally, for example by adding a “1” or “!” at the beginning or end, which hackers are well wise to. Moreover, as password complexity increases, users are more likely to use the same password for more than one account.
3. Use Unique Passwords for Each Account
Which brings us to the next password security best practice, although one that can prove difficult for organizations to enforce. Hackers have access to over 15 billion stolen credentials, available for sale on various forums. Every time there is a new data breach, more username and password sets get added. A 2021 survey revealed that 65% of people reuse passwords across accounts. This means that a breach in one puts all the other accounts in danger. Even a 64-character, complex password with numbers, letters, and symbols is useless if it’s already in an attacker’s hands.
4. Change Passwords After Attacks or an Employee Leaves
A corollary to the previous tip is to change passwords after certain events. These include confirmed data breaches at sites where you hold an account, or other situations, such as an employee leaving the company. The risk of former staff accessing systems is significant — 83% of employees said they still can access accounts from a previous employer. Moreover, 27% had access to a former colleague’s account. So it’s not just changing the password of systems the departing employee had access to, but any that may have been shared.
5. Use a Password Manager
Password managers are digital vaults that both create and store complex passwords for online accounts. Available as smart phone applications or browser add-ons, these tools help ensure you never have to create or remember a password for your new or existing accounts. Using a password manager takes away much of the frustration of maintaining a password policy. However, they can become a single point of failure, both from a password access and a security perspective. In 2015, attackers compromised the servers of the popular password manager LastPass, obtaining cryptographically protected master passwords and other sensitive user data.
6. Use Multi-Factor Authentication
To add a defense layer around password security, consider introducing multi-factor authentication (MFA). MFA requires at least two authentication factors from independent categories, these are: knowledge (e.g., a password), possession (e.g., a token or device), and inherence (e.g., a fingerprint). By requiring a user to prove another factor, in addition to knowing the password, an attacker’s job is made more difficult. While this is certainly a step in the right direction, it’s important to recognize that many common 2FA and MFA processes can still be circumvented. This is why many security experts now recommend MFA that can resist phishing and push attacks.
7. Remove Passwords Completely
Since passwords are such a vulnerable and regularly targeted element of cyber-defenses, the top password security best practice is to remove them completely. Deploying passwordless authentication that does not use shared secrets anywhere in its processes drastically reduces the chance of successful account takeover and other credential-related attacks. In fact, Microsoft believes the approach could prevent 99.9% of attacks. The crucial point is full elimination of any type of shared, centrally stored secret (like a password or OTP code) that can be breached, intercepted or hacked.
To learn more about passwordless authentication and how it works, read the Passwordless Security 101 guide.
Eliminate Passwords with HYPR
Passwords are an extremely vulnerable security element and have become increasingly targeted by cyberattackers. Although there are a number of password security best practices that can be used to improve the quality and effectiveness of passwords, a simpler and even more effective solution is to remove the use of shared secrets completely.
HYPR’s passwordless authentication solution is recognized as a gold standard of authentication security in terms of the phishing-resistant MFA demanded by government specifications. HYPR leverages PKI and secure, on-device verifiers to establish secure authentication, fully removing shared secrets from every point in the login process.