As World Password Day rolls around—eight years after Intel kicked off the annual reminder to secure this gatekeeper of our cyber identities—the lowly password remains a mainstay of good digital hygiene, despite its user flaws.
Consider this entrant: “solarwinds123.” That’s the password that a worker created to access a secure server at network-management software company SolarWinds.
We all know the rest: Hackers broke in and launched one of the worst cyberattacks in U.S. history, infecting 300 companies, nine federal agencies, and racking up as much as $100 billion in cleanup costs.
Turns out, millions of other American workers are no better at password hygiene. More than half (57%) said in a recent survey that they write their work-related passwords on sticky notes, according to Keeper Security, indicating a worrying carelessness. And it’s only increased since the pandemic. The same survey found that 66% of workers are more likely to write down passwords when working from home.
All of which explains why experts have lobbied for the end of these all-too-fallible and vulnerable collections of pet’s names and easily hackable number sequences. Security experts say today’s technology can let workers verify their identities using fingerprint or facial recognition applications on smartphones. Or they can use a software token, eliminating user verification and passwords altogether.
You don’t have to be a technical wizard to do this.
But it turns out the most prudent path—and the one of least resistance—is simply to embrace the lowly password and strengthen it. Fortunately, that can easily be done through strong password management and multifactor authentication (MFA).
“The reality is that passwords are still here,” says Kelvin Coleman, executive director of the National Cybersecurity Alliance (NCSA). “What I tell consumers and businesses is they have to create robust passwords, enable MFA, and run the security updates and patches. You don’t have to be a technical wizard to do this.”
With that in mind, here are four best practices for rock-solid password security.
Create strong passwords
Rob Clyde, a board director at the Information Systems Audit and Control Association (ISACA), says people think they have to add alphanumeric characters, such as numbers and #, @ and &, to all their passwords. (Some applications do in fact require it).
But Clyde says these characters are often an unnecessary addition, and they add complexity, which in turn makes it harder for users to remember their passwords. Instead, the National Institute of Standards and Technology (NIST) suggests creating a password from a unique, easy-to-remember phrase of 8 to 12 characters. Caution: Don’t use the names of children or pets; hackers watch what you do on social media and figure that out.
Change passwords less frequently, not more
Companies often prompt workers to change their network-access passwords every 30 to 45 days. Not a great idea, thanks to human simplemindedness. Users might go from 2020Yankees to 2021Yankees. Hackers can easily pick up those tweaks (again from monitoring your social feed and using your team affiliation until they find the right combination).
Passwords for system administrators who manage servers should be changed roughly once a month.
It’s better to create and stick to one strong password than to make small changes to a weak one. There is an exception: “Passwords for system administrators who manage servers should be changed roughly once a month,” says Oliver Cronk, chief IT architect for the EMEA region at Tanium.
Proactively use MFA
Today’s websites, applications, and enterprise networks often use MFA by pairing password logins with third-party authenticator apps that users can access over a smartphone. To many, this two-step process is not “frictionless” (the gold standard in user experience).
However, by now, the process has become common to both consumers and workers, most of whom keep their smartphones on desks next to computers. “Popular authentication apps such as Cisco Duo, Google Authenticator, and Authy are widely used,” says Clyde. “MFA also protects against “credential stuffing,” where hackers reuse multiple stolen passwords to launch attacks. In most instances, MFA stops credential stuffing in its tracks.”
Practice “least privilege access”
This concept is simple. Employees should have access only to applications and databases they need to do their job. For example, as organizations move to the cloud, says Clyde, they’ve tended to give many of the systems administrators access to all of the databases in the cloud. It’s best to break up the assignments based on the databases that the systems administrators need. That way, if a cloud database gets exposed, an attacker won’t have access to all the company’s systems.
There are other practical steps users and security teams can take to safeguard their digital identity or the keys to their enterprise kingdom. First, it’s always a good idea to assume the worst and check Have I Been Pwned for a list of company data breaches and exposed email addresses. From there, you might consider using a password manager.
However, Chris Hallenbeck, chief information security officer for the Americas at Tanium, cautions that while password managers are good tools because they can generate an encrypted password for every application, they too require a strong master password. (See best practices, above.)
Finally, Hallenbeck suggests keeping this one tip in mind: Never type your passwords on a Word document or Excel spreadsheet. Doing that may seem easy for you, but it also makes it easy for a hacker to find those passwords and exploit them.
That’s not something you want to do on World Password Day or beyond.