We use passwords every day, in almost everything we do, from unlocking our phone, purchasing online, logging into work computers and systems, and even when accessing our bank accounts. While there are many ways we can protect ourselves and our passwords, we can strengthen our security by relying on technical defences and processes.
How are passwords discovered?
Cyber-criminals can use a variety of methods to discover your passwords, but here are a few common methods that you may have heard of and some that could be new to you.
Interception: Passwords can be intercepted as they travel over a network.
Brute force: Automated guessing of billions of passwords until the correct one is found.
Key logging: Installing a keylogger to intercept passwords when they are entered.
Stealing hashes: Stolen hash files can be broken to recover the original passwords.
Phishing & coercion: Using social engineering techniques to trick people into revealing passwords.
Data breaches: Using the passwords leaked from data breaches to attack other systems.
There are more methods than this, including observing someone’s password as they physically type it or if they are insecurely stored, maybe written on a sticky note. But, even when implemented correctly, passwords can only do so much. Once someone has discovered or guesses a password, they can then impersonate a user.
How can you improve system security?
The good news is that there are many steps you can take to improve your security. Here are six pointers advised by the NCSC to keep your passwords safe.
1. Reduce your reliance on passwords
Believe it or not, we don’t always need passwords. Try only to use passwords where they are necessary and appropriate. Or, consider alternatives to passwords such as SSO, hardware tokens and biometric solutions. Where you can, use MFAs (multi-factor authentication) for essential accounts and internet-facing systems.
2. Implement technical solutions
Throttling, or account lockout, can defend against brute force attacks; for lockout, allow between 5-10 login attempts before locking out. This will allow you some leeway in case you forget your password or enter it incorrectly but will prevent brute force discovery (mentioned above). You can also consider using security monitoring to defend against these attacks as your system will alert you when under threat.
3. Protect all passwords
Ensure corporate web apps requiring authentication use HTTPS (Hypertext Transfer Protocol Secure, as opposed to HTTP). You can also choose services and products that protect passwords using standards such as SHA-256. For more control over your systems, protect or limit access to user databases and prioritise administrators, cloud accounts, and remote users.
4. Help users generate better passwords
A lot of the discovery techniques above can be eliminated by using strong passwords. By teaching your team about the dangers and importance of password security, you can limit the damage. Encourage the use of different password generation methods, including built-in generators, when using password managers. There are simple tricks to strengthen passwords, such as avoiding passwords that are too short and not imposing artificial capping on password length. Plus, password blacklisting can prevent common passwords from being used.
5. Key messages for staff training
Keeping your staff educated about the importance of password protection is crucial for them personally, but also for the security of your business. Emphasise the risks of re-using passwords across work and home accounts to ensure they avoid this practice. Help users to prioritise their high-value accounts and to choose passwords that are difficult to guess. Consider making your training applicable to users’ personal lives so they can also practice password security at home and recognise the value.
6. Help users cope with password overload
If you are following these steps and encouraging your team to have multiple unique passwords of varying lengths and including special characters, they will need to remember them. Allow users to securely store their passwords, including the use of password managers, so staff don’t feel overwhelmed. If possible, don’t automatically expire passwords; only ask users to change their passwords on indication or suspicion of compromise. Finally, try to use delegation tools instead of password sharing. If there’s a crucial business requirement for password sharing, use additional controls to provide the required oversight.
If you’d like to know more about cyber-security and how we can help keep your IT secure, contact our expert team today on firstname.lastname@example.org.