When Was the Last Time You Updated Password Security Policies?

Out-of-date password policies are putting your company at risk

If you haven’t updated your company’s password policy in a while, you’re on the wrong side of the curve. 

As computers become faster through the exponential growth of technology and hackers are becoming more sophisticated – to the point of using emerging technology for their own nefarious purposes – cracking passwords is easier than ever.

In fact, a recent cybersecurity study – the largest ever conducted around website login policies – found that 75% of popular websites globally are putting the data of many millions of users at risk. An automated tool assessed website creation policies and revealed that 12% of websites had no password length requirements. 

Don’t use these outdated password security best practices

It’s time for a password policy update. If you’re using the 2003 National Institutes of Standards and Technology (NIST) recommendation of taking a word and replacing letters with numbers and symbols while utilizing capitalization, you’re doing it wrong. 

In fact, the author recanted his advice in 2011 because hackers use dictionaries and common substitutions to crack passwords. However, making a complex password without using any words presents quite a challenge. NIST has revised the SP 800-63 Digital Identity Guidelines. These recommend:

• Always use “show password " to type your password correctly. You risk data exposure every time you have to change your password.
• Use a password manager to generate strong passwords. 
• Hash and salt passwords Hashing a plain-text password converts it into a gibberish fixed-length string, creating a “password hash.” Infiltrating hackers then get a list of hashes that would take much longer to crack and give you time to recover. Salting adds extra data to passwords before hashing, which makes passwords even more difficult to crack.
• Lock users out after multiple password attempts.
• Use two-factor or multiple-factor authentication. 

Use these password security best practices.

The United States Cybersecurity and Infrastructure Security Agency recommends the following:

• Make them long. Endsight recommends a 15-character password.
• Make your passwords random using mixed-cased letters as well as numbers.
• Or create a memorable phrase of five to seven unrelated words.
• Create a unique password for every account.

How long will this be a best practice? No one knows, but it’s only a matter of time before this scheme gets exploited by hackers who are getting better and computers that are getting faster.

The human factor in security

One of our Endsight’s engineers, said it best:

"We tend to overestimate the human factor in security because we want to expect the best of ourselves and others, but anyone can be socially engineered or phished, anyone can have their clever/complex shared password scheme revealed in a breach, and anyone can be working on an improperly secured computer that is key logged.

“These things can be trained for, but never to an infallible degree; because computer (and human) networks work through relationships of trust, one compromised account translates directly into compromising others. All this adds up to the fact that a password cannot be made safe enough, neither through length nor complexity."

So, what's the best policy?

Two-factor or multi-factor authentication- whatever you call it is more secure than any password policy. More than two ways of authentication? It’s called multifactor. How does it work?

• First, you log into a website or program.
• The program prompts you to send a unique, sometimes six-digit code, to your mobile phone, and then you confirm that code in the program itself. 
• Before logging in, you must confirm with two technology sources (the password & your mobile device).

Two-factor authentication doesn’t have to involve just a password and a mobile device. It can work with many different combinations to be considered two-factor authentication.

Authentication combinations may look like:

• Password + mobile phone text message
• Password + app on a mobile phone (like the Microsoft Authenticator App)
• Password + email address
• Password + physical key
• Password + thumbprint
• Password + iris scanner (available on premium Android and Windows smartphones)

Protect yourself from password hackers

1. Create a unique password policy  and use this for your master password with a password manager - 1Password or Bitwarden.
2. Opt-in for two-factor authentication with any services you use where security is critical. These include your email provider, website provider, and, most importantly, online banking. You should enable two-factor authentication as soon as possible. If you can't figure it out online, call your bank today and ask them how to opt-in for two-factor authentication.
3. Ensure your business has a two-factor authentication policy for all password resets your systems administrator manages.
4. Make sure that you can trust your systems administrator. Without this, nothing else matters.

Password best practices are fading because of the advances mentioned in hacker skills and computing speed. Two-factor authentication covers password shortcomings - for the most part. 

At Endsight, we are committed to helping small businesses set up security protocols that protect them from disaster. Learn more about our offerings here!

True cybersecurity takes a multi-pronged approach, and we know all the essential ingredients. 

We’ll help you design policies that protect your business, as well as teach you more about how to implement two-factor authentication – we’re on a mission to help businesses set up security protocols that protect them from disaster. 

Contact us and start your new security journey today!