Given the growing sophistication of modern threats, we here at Fortinet often spend time discussing cutting-edge technology and strategies to secure today’s complex, evolving, and highly distributed networks. However, everyday cybersecurity efforts often come down to something much simpler: passwords.
Keep these ten password security best practices in mind to minimize password-based cyber risk when creating new accounts or updating well-used passwords.
1. Multi-factor Authentication – Add an extra layer of security by using multi-factor authentication wherever possible. This confirms your identity by utilizing a combination of multiple different factors, such as something you know or something they have, such as a token generator on your smartphone.
2. Unique Passwords – Never repeat the same password for different accounts.
3. Routinely Change Passwords – Change your passphrase at least every three months. This will lock out cyber criminals who may be using your account, protect you from brute force attacks, and remedy the issue caused by cyber criminals who purchase lists of usernames and passwords obtained through data breaches.
4. Maintain Privacy in Public – Ensure no one is watching as you enter passwords.
5. Remain Vigilant When Downloading – Be cautious when downloading files from the internet as they may contain keyloggers or password grabber malware variants that will compromise your password. A good practice is to regularly scan for the presence of such malware.
6. Implement a Cloud-Based Password Manager – Use a cloud-based password manager to enable you to create and store strong passphrases. This is especially important if you require strong passwords for dozens of accounts. Password management tools allow you to securely store an encrypted list of passwords in the cloud that can be accessed from any device. Not only will you only need to remember one password to access your password locker, but the passwords you store there for your various accounts can also be even stronger because you don’t have to remember them.
7. Change Passwords When Leaked – Change any passwords if they are stolen. Cyber adversaries are constantly tweaking their tradecraft to ensure successful intrusions in order to generate consistent revenue and profit. If your password is guessed or stolen, you may never know it happened until anomalous purchases appear in your bank account. And even more challenging, you may not be impacted directly at all. Data accessed by leveraging your compromised account may simply be used to move up the food chain, enabling an attacker to gain access to data and resources managed by someone else.
8. Choose Hard-to-Guess Passwords – Avoid using common words, phrases, and number combinations. Short, simple passwords take fewer resources for hackers to compromise. Some of the most common passwords are baseball and football team names, any variant of 123456789, and QWERTY.
9. Avoid Using Personal Information – Avoid using information linked to your personal identity, including birthdays, phone numbers, or the name of a pet.
10. Don't Use Simple Obfuscation Techniques – Don’t use simple obfuscation techniques. “P@$$w0rd” is slightly more difficult to guess than “Password.”
Implementing a strong passphrase is one of the easiest ways to protect yourself, your devices, and your personal and corporate data from these cyber threats. The basic rule of thumb is that the longer and more complex the password, the more difficult it is to crack. However, unless done carefully, it can also be easier to forget.
According to the Verizon Data Breach Investigations Report, 81% of breaches leveraged either stolen and/or weak passwords. That problem is compounded because one of the biggest risks to data security is the reuse of passwords across accounts. Suppose one of your accounts is compromised and your username and password are posted on the dark web. In that case, cybercriminals who know how often passwords are reused will simply begin to plug that information into other possible accounts until they unlock one that uses the exact same credentials.
This is a common risk, as 83% of people have admitted to reusing passwords across multiple sites. Even if you think it is safe to reuse passwords on accounts that don’t house sensitive data – a breach there can be used as an entryway to move laterally across networks in search of critical business data or personally identifiable information (PII).
Physical security of passwords is also important to keep in mind. The average US email address is associated with 130 accounts. With so many passwords to remember, many have admitted to writing passwords down on pieces of paper or keeping a list of passwords in unsecured documents on their computers. These items can easily fall into the wrong hands – whether they are simply lost or compromised in a malware attack.
Insecure or inadequate passwords are an easy target for cybercriminals. Accessing a network using a stolen password is much easier than breaking in through edge security protocols. Attackers can uncover or bypass weak passwords using brute force attacks, Winject compromised credentials to gain access to user accounts using credential stuffing attacks, or leverage a host of other strategies to hijack user accounts to steal personal or corporate data.
Since 2013, the first Thursday in May has annually been marked as World Password Day. The goal of this day is to promote better cybersecurity hygiene by upgrading easy-to-guess passwords or refreshing older passwords that may have been compromised through some data breach. Think of it as the cyber equivalent of testing and replacing your home smoke detector batteries. Being diligent about creating strong passwords and updating them regularly is the first line of defense in securing both your personal and corporate information. Maintaining strong passwords and having a password strategy you can easily manage—but that others cannot easily guess—is an essential cybersecurity effort that every employee and individual plays a crucial part.
When it comes to password security, everyone has a role to play in the protection of PII and corporate data. IT teams and stakeholders should review the common risks of weak passwords with their organizations, as well as remind everyone of these best practices. This simple practice can help employees better protect their data while minimizing unintentional insider threats to the organization.