Take IAM Seriously! Implement Password Best Practices!

password best practices

We here at Solutions Review have discussed previously the upcoming death of passwords as an authentication factor and the advent of new authentication factor like biometrics, geofencing, and hard tokens. However, even though we fervently believe that future is on the way, our conversations with identity and access management (IAM) experts and our research suggest that passwords are here to say.

We all know that passwords are incredibly unpopular. Users have to memorize dozens if not hundreds of them just to get by in daily digital life. They are often lost or forgotten. Hackers can easily steal, guess, or crack them. They’re incredibly insecure as an identity authentication factor. But they are also ubiquitous, widely understood, and easy to implement.

Since your enterprise will probably have to deal with passwords for the foreseeable future, you need to make sure you and your employees are following password best practices! Here are the password best practices your enterprise should implemented, train, and (to the best of your ability) enforce among your employees:

Never Allow Users to Write Down Passwords

This should be common sense. There are too many stories of unscrupulous individuals in the analog world discovering the password they need on a sticky note by an employee’s endpoint.

Your enterprise should be ensuring employees aren’t engaging in this blatant cybersecurity violation: managers should be on the lookout for this behavior and requiring employees stop.

But the against writing down passwords principle applies to digital documents, saved either on-premises or on the cloud, equally. Neither is as safe as employees believe they are; if a hacker has infiltrated your network or cloud platform they could easily steal and exploit these passwords. If saved in a common drive insider threats could obtain valuable credentials with minimal effort.  

Show your employees just how dangerous writing down passwords can be, and instead encourage them to create distinct passwords they will be sure to remember (although, as we will discuss, they should not create easily crackable passwords).

Also, to facilitate password best practices, your enterprise should implement via single sign-on via its IAM solution. This will significantly reduce the number of times your employees will have to login to their various accounts and the number of passwords they will have to remember.

In cases of proprietary databases or assets, you can always implement multifactor authentication to secure those sections of the network against non-privileged employees. Finally, if your employees are truly struggling with remembering their passwords, implementing a password manager integrated with or as a part of your IAM can really help.      

Mandate Strong Passwords

Perhaps this is the heart of the issue.

Did you know that users still use “password1234” as their password? It’s one of the most common and commonly hacked passwords, born of fears of users forgetting their passwords and wanting to simply meet password requirements for numbers or character limits. It’s almost funny.  

Now ask yourself this: how many of your employees are using passwords like this, easily guessed and cracked, on your network and databases? Suddenly it becomes far, far less amusing.

As part of your employee cybersecurity training, show them the most commonly used and easily discovered passwords (here’s a resource we’ve found). Tell them why these passwords are insufficient, and if possible, ban them from your networks (talk to your IAM solution provider to see if they can enforce this digitally). Password best practices need to be something understood by all of your employees so they can be internalized in their daily digital behaviors. Otherwise, they might hear you…and may not listen.

Foster a Zero-Trust Culture

In identity and access management, we use the term “zero-trust” to describe how enterprises should never simply believe that users are who they say they are until they authenticate their identity extensively.

It’s one of the most crucial processes in modern identity management, but it is also the basis of a vital cultural shift many enterprises need to embrace. Password best practices require that your users passwords remain individual and secret unless absolutely necessary. Your enterprise should forbid employees from sharing their passwords from each other, in part because the transfer of passwords could open up new attack vectors and increase the risk of a potential insider threat whether intentional or not.

Employees should also demonstrate zero-trust to any website, institution, or even fellow employee that asks for their password. You must train your employees to always be suspicious of other people asking for passwords and how to recognize potential phishing attacks. If the employee has doubts (and perhaps even if they don’t) they should contact the inquiring institution directly and determine why they are asking for the password…if it really is them.   

Make Password Best Practices Part of Employees Duties

Here’s the secret to great enterprise-level cybersecurity: everyone needs to be involved in it. It isn’t just an issue for your CISO or your cybersecurity team. Every employee is involved in your IT perimeter, which means that a mistake by one of them could affect your entire enterprise.

Therefore, make sure you stress that passwords best practices aren’t just a technical concern. They are a day to day responsibility that employees need to perform as they perform their other tasks. Make it a part of performance reviews and employee evaluations. Continually reinforce password best practices in training sessions and in daily communications.

The digital marketplace is one of the most rewarding ever conceived. Don’t leave yourself prey to the pickpockets between the stalls.

Ben Canner