With yet another cloud server outage this week causing chaos to many businesses across the UK, it does beg the question of how safe businesses really are online. Although Cloudflare are saying this network failure was caused by a database issue, are we really getting the truth? With so many cyber attacks happening at the moment, it is time businesses took more time to improve password security. We have put together some of our top tips to keep your organisation secure.
The Problem with Passwords
Password use is continually on the rise, and they remain the default method of authentication for a wide range of services. While 2-Factor Authentication (2FA) is being used by more businesses, they still often require a password as one part of the login process. With increasingly complex password requirements (12 letters, a million symbols and one must be a capital letter), users are finding ways to cope with ‘password overload’ which makes them less secure. For example, re-using the same password across multiple sites, using really simple passwords or writing them down somewhere they can be easily found.
How are Passwords Discovered?
Attackers use a wide range of techniques to work out what passwords are being used, here are a few examples to keep an eye out for:
- Using social engineering to trick someone into revealing their password.
- Using passwords leaked from data breaches.
- Password spraying – using a small number of commonly used passwords to access a large number of accounts.
- Brute-force attacks – automated guessing of a larger number of passwords until the correct one is found.
- Theft of a password hash file.
- Shoulder-surfing – observing someone typing their password.
- Finding insecurely stored passwords e.g. sticky notes
- Manual password guessing (date of birth etc.)
- Intercepting a password as it is transmitted over a network
Improving Password Security
So now you have an idea of how someone could attempt to steal your passwords, let’s look at how you can make sure your organisation’s password policy is as effective as possible.
1. Reduce reliance on passwords
Of course we can’t simply get rid of passwords altogether, but often passwords are overused in areas where they are not necessary. A good way to reduce password burden is to only implement passwords when they are really needed and suitable. Single sign-on can also help, and while there will be some additional setup, they are easy to use and improve system security.
Multi-factor authentication (MFA) should also be used for important accounts. This is where a second factor is needed alongside a password in order to provide access. If an attacker was to identify the password for the account, they wouldn’t be able to gain access as a code is also sent by text message, or created by an app, that is also required for logging in.
2. Implement technical solutions
A security system should always rely on technical defences rather than user behaviour. Account lockout is one of the best (although sometimes annoying!) technical solutions that you can implement. This is where a restriction is put on the number of login attempts, and a user is then locked out of their account if they are unable to enter the password correctly.
Throttling is another option, where there is a progressively increasing time delay between successive login attempts. This is preferred to account lockout, as otherwise genuine users may end up not being able to access their account.
3. Protect all passwords
As passwords can be intercepted in transit, it is good best practice to ensure that all web applications requiring authentication use https in order to keep the information safe. By using a password manager that doesn’t store passwords as plain text, this will also make it harder for attackers to steal passwords. Using encryption (or hashing) where a plain text password is converted into a hash means that it is impossible to convert back to the original password. If an attacker accesses a password hash file, they will not know the actual passwords.
4. Help users cope with password overload
Traditionally, users have been told to memorise their passwords, and to not to write them down or share them with anyone else. As a business owner, you should provide the appropriate facilities to store passwords – such as a password manager. As well as providing secure passwords storage, they can help users generate and auto-fill passwords.
Another tip on helping users cope with password overload is to not enforce regular password expiry. Regular password changes actually do more harm than good! Users are more likely to choose new passwords that are only small variations of the old one anyway.
5. Help users generate better passwords
Machine-generated passwords eliminate passwords that would be simple for an attacker to guess as they are random and unique. Most of these types of passwords are hard to remember, so a password manager would also be required. User-generated passwords are quicker and easier to implement, but do carry the risk of being weaker and therefore more predictable for attackers to guess. Password strength meters are a good middle ground, allowing users to create their own passwords but making them stronger.
So there you have it, our guide to improving password security in your organisation. If you would like help choosing the best password manager for your business, or have any other questions, get in touch with the team at Reality Solutions today.
*This article contains general information in order to assist all of our customers and is meant for guidance only – there are no guarantees that the information we provide will be suitable for your particular needs. If you require specific assistance, we recommend that you seek professional guidance on your individual circumstances. Reality Solutions are in no way responsible for any loss or damage arising from any information contained within our articles.
