Passwords have been with us for as long as computer systems. But as the number of accounts, websites and apps we must secure has grown, it’s become harder to manage these credentials.
Today, more than half (57%) of Americans still write their work-related passwords on sticky notepaper. Surprised? Well, maybe we shouldn’t be, knowing what we do about human nature.
Often, these challenges are made worse by overzealous policies requiring complex, difficult-to-remember credentials and regular password changes. Getting the balance right between security and convenience is key.
So, to help you this World Password Day, let’s look at some common misconceptions around password security. And explain what good policy looks like.
Watch this episode of “To the Point” with two of Tanium’s experts, Chris Hallenbeck, Chief Information Security Officer for the Americas, and Oliver Cronk, Chief IT Architect for EMEA.
Busting the top-four password myths
Myth #1 — Passwords need to be complex to be more secure.
This isn’t necessarily the case. Research has shown that a relatively easy-to-remember, long sentence or phrase may be more difficult for attackers to crack or guess than a shorter, more complex word.
Myth #2 — Passwords need to be changed frequently.
Your corporate password policy needs to be adjusted dynamically according to risk. If we’re talking about an admin account or one with a high level of privileges, then there is a need to rotate passwords fairly frequently. But if it’s an end-user account, frequent forced updates will only lead to poor practice, like the sticky notes example above. This is a balancing act that requires careful consideration by IT.
Myth #3 — If I use multi-factor authentication (MFA) and a strong password, I’m bulletproof.
Unfortunately, there’s no such thing as 100% protection in cybersecurity. Even if you have closed off one avenue through effective user authentication, there may be others for attackers to explore — such as theft of browser cookies containing credentials. But the objective is to make things as difficult as possible for your adversary. And with MFA and strong passwords enforced across the organization, you’re off to a strong start — especially if they’re implemented as part of a Zero Trust approach.
Myth #4 — If my account gets hacked, someone is after me.
Not at all. In most cases, intrusions are fairly random and opportunistic. Credential stuffing attacks, for example, can occur if you’ve reused your password on another site that is subsequently breached. Those credentials are then obtained by threat actors from dark-web marketplaces and tried concurrently across many sites, with the hope that they’ll unlock some of your other accounts.
Password best practices
Fortunately, there’s a lot that organizations and individuals can do to improve their password security. And it doesn’t necessarily require a great deal of extra time and effort. Consider the following:
- Identity management providers like Google and Microsoft offer security checkups that can be a good way to see if you are using weak, repeated and/or previously breached passwords across your accounts. If the results seem overwhelming, just focus on those accounts you regard as “tier one” — like online banking and email. The latter will be where any password resets are sent by providers, so it’s essential you keep these secure with strong, unique passwords and MFA.
- Rotate passwords on your admin and high-privilege corporate accounts more frequently than for regular user accounts.
- MFA should be switched on for all users, especially administrators.
- Go for length when choosing passwords — a full phrase is more secure than a 10- to 12-character password.
- Be sure to check that policies are being followed by checking if credentials are being stored on sites like GitHub, which may expose the organization to unnecessary extra risk.
- You can also check to see if your email has been in a data breach on the site — Have I been pwned?
- Businesses can use days like World Password Day to bring awareness, but they shouldn’t stop with just passwords. It’s also a good time to examine their access protocols. Breaking a weak password provides access. What a cybercriminal can do with that access is where organizations should focus their time.
How Tanium can help
Tanium can help support these efforts in two ways:
We deliver the visibility and control you need at speed and scale to help ensure global policies are applied to endpoint devices. For example, by enabling you to check for any plaintext password files in use across the organization.
We support a best practice Zero Trust approach by authenticating the device before corporate users can log in. Identity management is a crucial step. But if your endpoints have been compromised, then it could still allow attackers to sneak through corporate defenses.