They’re a basic foundation of security, yet somehow constantly dismissed.
Passwords are one of the most important components of a strong cybersecurity strategy—but employees overwhelmingly have bad password habits – despite all attempts to ensure best practices across the organization. People pick simple, easy-to-guess phrases like “password” or “12345” or regularly reuse the same password for multiple logins. Bad password habits are so pervasive that they’re even common among IT leaders. 55% of IT leaders have reused a password and almost a third have used a family member’s name in a password and 28% have used a pet’s name. These kinds of practices make it easy for hackers to guess passwords. IT commonly set up computers with a password, common across all computers, intending for the owner to change it, only for users to never make that step. It happens all the time. In addition, passwords are forgotten, need to be changed on a rolling timeframe and unfortunately will be shared with colleagues and with technical resources for various reasons.
The protection of passwords is no small matter, especially when you consider that weak or stolen passwords are responsible for over 80% of hacking related breaches. Yes – I just said 80%. So, what’s a person (or an enterprise) to do when it comes to password protection?
Best Practices for Password Policies
At an organization level there are several steps organizations can take to promote password protection and strong security practices. These include:
Creating a password blacklist that ensures employees don’t use commonly-used phrases when creating their passwords.
Implementing two-factor authentication.
Require the use of strong passwords
Require password resets on a rolling timeframe (every 60 – 90 days)
Protecting accounts of privileged users through additional protection like a different login URL and a single sign-on attempt.
Securing your Wi-Fi connections and providing a secure VPN connection for remote workers.
Regular employee training on cybersecurity practices.
Communicating only over secure channels with regards to password resetting or sharing. (i.e. not using email or standard SMS text to provide this information)
Passwords and Communications
When it comes to passwords, a challenge for organizations is the resetting process and sharing of passwords for assisting employees. Phishing attacks thrive off of password reset emails therefore sharing new passwords to users over email can be extremely risky. Even colleagues sharing passwords from one location to another on a project over email can produce the same exact result. Therefore, whether sharing passwords for a project (which we all knows occurs) or when it comes to password resets or generating new passwords for employees, use of a secure messaging platform to do so. That is to say use a platform that:
offers end-to-end encryption,
that can ensure that information does not remain on the device,
that can ensure that no information is stored to or backedup to the cloud
that can ensure that information cannot be shared, saved, stored, forwarded or otherwise leaked
This is all key in the protection of your passwords and ensuring protection from a breach.
Organizations should look for tools such as the Vaporstream Platform that also allow them to proactively send password reset reminders or new passwords automatically based on a predetermined schedule. With a secure communication platform this ensures that these messages can’t be intercepted or mimicked by a malicious party and provides confidence that notifications and information cannot be a phishing or smishing attempt.
At Vaporstream, we believe that organizations should be able to practice best practices when it comes to password security—without having to compromise on efficiency. You can learn about how we ensure secure, efficient communications by downloading a datasheet here.
If you want to find out more, contact us.
Contributor: Kristi Perdue Hinkle
*** This is a Security Bloggers Network syndicated blog from Vaporstream authored by Kristi Perdue-Hinkle. Read the original post at: https://www.vaporstream.com/blog/password-protection-best-practices/