Password problems are a significant cause of cybersecurity problems. On the dark web, you can buy logins, email lists, and other materials to carry out hacking attacks. If passwords are rarely changed, hacking your company will be all too easy. You know that passwords are essential. How can you enforce strong passwords without driving your employees crazy?
Why Password Management 1.0 Is Not Enough Anymore
Remember when “a mix of upper and lower case characters” was a new idea in password security? That entry-level approach is no longer enough. Instead, more modern approaches discourage practices associated with weak passwords. For example, the NIST — a standards organization in the US — provides the following guidelines of passwords not to use in the Digital Identity Guidelines: Authentication and Lifecycle Management:
- Passwords obtained from previous breach corpuses.
- Dictionary words.
- Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
- Context-specific words, such as the name of the service, the username, and derivatives
Dictionary attacks and repetitive characters are straightforward ways to attack a system. What about “previous breach corpuses”? From time to time, researchers find lists of passwords obtained through breaches like “Collection of 1.4 Billion Plain-Text Leaked Passwords Found Circulating Online.” To protect your organization, you will want to avoid using those passwords because they are known to be a problem.
The problem with context-specific passwords is more complicated to detect and explain. At the simple end of the spectrum, users may use their username as a password (e.g., “jsmith” as the username and password). Alternatively, another context specific password would relate to the application such as “financePW” for a finance application. While harder to guess than a plain dictionary word, it is a best practice to discourage such weak passwords.
Crafting a secure password is necessary but not sufficient to keep employees safe. You need to proactively equip employees to adopt positive security habits.
The 4 Keys To Unlocking Improved Security Without Driving Your Employees Crazy
To help your employees succeed with better passwords, use the following techniques. We will start with the fundamentals.
1) Review Your Cybersecurity Training
The quality of your cybersecurity training program is a crucial ingredient to improving password security. Meet with the manager responsible for security training and review the following questions:
- Rationale and motivation. How well does the training explain the WHY of your cybersecurity training? If this point is neglected, your employees may be disengaged with the entire process.
- Clarity of Password Training. If your password training is too technical, employees may be inclined to write it off as “an IT matter.” Ask yourself whether your training puts password issues in business terms — a way to protect employees, customers and other stakeholders from fraud and other risks.
- Highlight High Risk. Some users and systems have a higher risk profile than others. Does your training make that distinction clear? For example, users with “super” privileges must be held to a higher standard than front line staff.
- Roles and responsibilities of employees and managers. Segregation of duties between staff and managers is a key control process to keep your company safe. Review your training materials to see if you are honoring this principle.
2) Provide Self-Serve Password Management
Put yourself in your employee’s shoes for a moment. If you have to call the help desk every time you need a password reset, what will that reality do to your password behavior? You will probably choose simpler passwords and write them down in unsecured locations to avoid the hassle of picking up the phone.
Using a password management solution like Avatier’s Password Station is the simple way to solve this problem. By using Password Station, your help desk no longer has to deal with password reset issues all day. Your end users will confidently choose more complex passwords because they can quickly get new passwords when they need them.
Tip: Does your organization have periodic IT audits or security audits? If so, make sure you use Password Station’s reports to demonstrate how passwords are managed and logged.
3) Use Single Sign-On To Simplify Password Use
According to Security Magazine, the average business user has more than 150 passwords to keep in mind. In our opinion, that estimate feels a bit on the high side. Even if the true figure is more like 50 passwords, that is STILL an overwhelming amount to keep organized in your mind,
Using a password management app is one solution to having too many passwords. That is a good solution if you have too many passwords to use on your home computer. When it comes to a company, relying on a password manager does not make sense. Instead, there is a better way. Cut down on the number of passwords users have to keep in mind by using single sign-on.
With Avatier SSO, a single password is all your users need to manage. Managers and auditors still have the assurance that access is controlled and limited according to the user’s profile. That is just part of the benefit! Avatier SSO also saves time when you are onboarding new employees because you only need to set up one password for them.
4) Use Two Factor Authentication
In some situations, relying on a single password is not enough. For example, what about high-risk activities such as approving an exception to your bank’s loan guidelines? In that scenario, you want to be sure that the exception is appropriately authorized. The solution? Use “double factor authentication” to authenticate the user.
Also known as multi-factor authentication (MFA), this approach is used by a growing list of companies to secure their technology. Amazon, Bank of America and Microsoft are just a few of the firms that currently use MFA. For more examples, read Which Companies Use Multi-Factor Authentication With Their Customers?.
Get Started This Week To Improve Password Security
If you make password security easy for employees, they will do the right thing. The only question you have to ask is: “where to begin?” In most organizations, implementing an automated tool like Avatier SSO or Password Station will give you the highest bang for your buck.