Despite their inherent problems, most users interact with their digital identities through passwords. Therefore, your enterprise must start to develop and adopt password security strategies across the network.
Why Your Enterprise Needs Password Security Strategies
Unfortunately, trusting employees to create strong passwords on their own may no longer serve as a tenable strategy.
According to the Identity Theft Resource Center® and CyberScout® Annual End-of-Year Data Breach Report hackers continue to target and exploit usernames and passwords for their attacks, especially when users repeat their credentials across multiple accounts. Furthermore, through publicly available personal information, hackers can guess the passwords of users and apply it to all of their accounts; after that, it is only a matter of time before they find a weak link.
Adding to these issues, users continue to select and reuse passwords annually rated as (frankly) embarrassingly weak and easily cracked. This distinct problem stems from employee fears of forgetting their passwords.
Password security strategies encourage employees to create unique, non-guessable passwords for their digital identities thereby keeping them and your business safe. Also, password security strategies help employees remember more complex passwords, breaking their dependence on repeated or simplistic passwords.
What Do Password Security Strategies Entail?
Thankfully, you can embrace password security strategies and identity and access management best practices simultaneously; they’re basically one and the same. Moreover, password security strategies often prove fairly simple to conceptualize. Good places to start include:
- Enacting Multifactor Authentication (MFA). Multifactor authentication takes some of the pressure off passwords to keep identities secure by themselves. Your enterprise can adjust the authentication factors granularly or based on threat intelligence as well.
- Enacting Single Sign-On (SSO). Single Single-On reduces the number of passwords employees must remember to access their role-relevant resources, therefore reducing stress.
- Mandating unique passwords. Passwords should have no direct affiliation with employee’s personal or professional lives, and optimally should be over 16 characters in length with numbers and punctuation. Ideally, employees should use a sentence or phrase. For example, passwords should avoid birthdays, job titles, or children names. However, “HelloMr.3rown!” could take hackers years to crack if not decades.
- Deploy a next-gen identity and access management solution with password management capabilities. Password management helps employees remember their passwords automatically through the network and recognized endpoints, geolocations, and time-stamps, reducing the dependence of reused passwords.
What Password Security Strategies Do Experts Recommend?
We spoke with identity and access management experts in the wake of the Identity Theft Resource Center® and CyberScout® Annual End-of-Year Data Breach Report. Here’s what they had to say:
Franklyn Jones, CMO, Cequence
“Unfortunately for the bad guys these data breaches are gifts that keep on giving, long after the news headlines fade away. Millions of these stolen credentials find their way to the dark web, where they are acquired by other bad actors who then orchestrate automated bot attacks targeting other websites where those credentials might give them fraudulent access to private accounts. Without proper security safeguards, those automated attacks can be quite successful because people tend to use the same login credentials on multiple sites.”
George Wrenn, CEO, CyberSaint Security
“Due to the complexity of our day to day lives and the technology, processes, and people involved in them, the question of a cybersecurity incident is no longer a matter of ‘if’ but ‘when.’ Cybercriminals are picking up on weak spots that organizations have, and are evolving just as we are at the pace of technical innovation, such that the complexities only continue to accumulate.”
“This is why cybersecurity management must include measurement. Every business function has metrics—not just the finance unit where financial health is concerned, but the HR unit measures employee turnover, marketing, and sales units manage customer adoption… cybersecurity too needs measurement in order to be effective.”
“Without a truly metrics-driven approach when adopting best practices, there is no tangible way to communicate program effectiveness. The only way we can continue to keep up—and more importantly get better at keeping up—with the “bad guys” is if we have an efficient cycle of best practice adoption, measurement, analysis, and remediation that is easily communicable and measurable like any other business function.”
Rod Simmons, VP of Product Strategy, STEALTHbits Technologies
“In situations where a user has a weak password it is an “Aw-shucks” moment for the user; however, the administrators of the system shoulder some of the blame as they allowed the users to be so careless. As an attacker, the more frequently you see an email address used as a primary login method or recovery method, the more apparent it becomes whether that account is critical. If I have access to this email address, I can request password resets.”
“Single Sign-On using technologies like Microsoft Account, Google Account, or Facebook are great for users, as it means there’s one less credential to manage poorly. The problem is once that credential is owned, not only can a bad actor assume your identity any place you have used it, they can use it in new places you are not aware of to assume your identity.”
Thank you to these experts for their time and expertise on password security strategies!
Latest posts by Ben Canner (see all)
- Key Findings: The Gartner 2019 Critical Capabilities for Identity Governance and Administration - November 13, 2019
- 60 Percent of Enterprises Misunderstand Cloud Security Responsibility Sharing - November 12, 2019
- 5 Identity Management Insight Videos for 2019 (and 2020) - November 11, 2019