​​Healthy Password Habits for your Organization​

When it comes to passwords, you often hear stories of users just adding an extra number, symbol or character to their existing password that has likely been reused for numerous platforms. This practice is all too common since computer systems became mainstream in the 90s.

How Hackers Use Your Password Against You

Passwords are the most targeted piece of information on the internet by hackers. Once they have a username, their next step is to figure out how to obtain or change the password to something they know.

Once this is done, they can do all sorts of things with that working set of credentials. One of the most common practices is to “password spray” which is using the credentials towards many services or login portals to see what works, what doesn’t work, or what might initiate a multi-factor temporary pin request. The hacker will then document the outcomes in a spreadsheet and create next steps to use themselves or they will sell the information on the dark web.

How to Ensure the Health of Your Credentials are the Best they’ve Ever Been

We all want to stay clear of the situation above, and you can start by implementing a healthy password policy:

• Require a password login for all organizational systems that contain sensitive data.
• Change default passwords that come with programs immediately after installation.
• Require passwords to be at least eight characters long and use a combination of uppercase and lowercase letters, numbers, and symbols.
• Promote the use of passphrases rather than passwords. A passphrase is typically a sentence or a combination of words, numbers, and symbols.
• Encourage staff members to break common password habits, such as placing capital letters at the beginning of a password and numerals at the end.
• Use multi-factor authentication. This method involves a password and at least one other identifying technique, such as an electronic identification card, key fob, or fingerprint recognition.
• Implement password monitoring to screen for weak and compromised passwords.
• Consider deploying a password manager that generates complex and unique passwords that employees can easily access with a strong master password.
• Configure systems to prevent users from repeating the same password within a specified timeframe.
• Enable a password reset function on your systems so that staff members can change forgotten passwords once their identities are authenticated.
• Implement a lockout function that triggers after a certain number of failed attempts.
• Set accounts to automatically disable if they are inactive for a predefined amount of time.
• Enable optional password protection on any devices or systems that offer this option.

What to AVIOD When Handling Passwords

If they’re easy to remember, they’re probably too easy to hack.

• Advise staff members to avoid passwords or passphrases that:
• Contain common words or terms, even if the spelling is slightly altered (example: H0spital1234 or Nur$e1234).
• Use common phrases, famous quotations, and song lyrics (e.g., 2BeOrNot2Be?).
• Contain personal information, such as names; pets’ names; street names; Social Security numbers; etc. (example: JaneDoe1975).
• Are overly simplistic or easily guessed (example: PassWord1234).
• Use adjacent keyboard combinations (example: qwerty1234).
• Contain pop culture references (example: $tarWar$2021).
• Use information found on social media sites (example: @JaneDoeTweets).
• Avoid systems that use password hints or knowledge-based authentication (KBA) as a method of password recovery. Evidence suggests hints often are weak password forms (example: favorite science fiction movie), and KBA selections can be easily guessed or researched (example: mother’s maiden name).
• Advise staff to not write down passwords as a method of remembering them, even if they think they are concealed.
• As part of security policies, prohibit staff from sharing passwords with other personnel or letting others use a system or network while they are logged in.
• Recommend that staff unique passwords for each system and account.

Although nothing can ensure 100% password health, being aware and vigilant when creating and handling them is the best thing you can do for your business and personal credentials. Remember, long, complex pass phrases and enabling Multi-Factor Authentication is one of the best ways to put you in a more secure posture.