How to Improve Password Security for Your Organization
No one likes passwords. They are difficult to remember, must be updated frequently to remain effective, and can be compromised across multiple accounts if there is a breach. But passwords aren’t just a headache for employees. They can have a significant impact on productivity in organizations that must field IT help desks for password resets and absorb hours of lost productivity when someone is locked out of their accounts. In fact, nearly 20% of employees report lost productivity due to being locked out of their accounts.
But for the foreseeable future, passwords will remain the primary means by which we secure access to accounts, and while they can be effective when used properly, there are several issues that can arise due to improper management and use of passwords by employees. Because of the strict requirements for password creation, the need for regular updates, and the speed with which employees forget their passwords, they are less secure than ever. And with 51% of people using the same passwords for personal and work accounts and 57% of people having already been scammed in some form with phishing attacks, improved security is more important than ever.
Improving Baseline Security Functionality
There are several systematic updates that can help to improve password security, but before discussing those, let’s look at even simpler steps that can help address common weak points in password security.
- Banning Common Passwords – Even after years of password advocacy, the most common passwords in the world remain “password”, “123456” and “qwerty”. By banning these common passwords (and hundreds more from the top password lists), it’s possible to avoid the most basic of attacks.
- Password Validation – When users create passwords, they should meet certain criteria in terms of length, variability in characters, and complexity. This can be measured as the user creates their password to help ensure it is secure.
- Lockout Policies – Setting aggressive but realistic lockout procedures can help reduce the risk of certain types of hacks.
- Password Rotation – By rotating passwords and requiring the use of new phrases every few months, it reduces the risk of a stagnant password that may also be used for personal accounts remaining active for a long period of time.
While these extra steps can help to reduce the risk of unsecured passwords being used for too long, they also increase the risk of passwords being forgotten or written down or saved in places they should not. That’s where a secondary verification level can help.
Adopting Single Sign-On (SSO) & Multi-Factor Authentication (MFA)
Single sign-on (SSO) is an effective way to reduce the number of credentials a user needs to remember. This ensures that their single password is a more secure credential that meets key criteria to protect those accounts. These systems are also able to evaluate the context of sign-on attempts, blocking, or requiring verification when someone logins from a new location or new machine.
SSO alone is a useful security measure, but it’s not enough for complete password security. That’s where multi-factor authentication comes in. This adds a completely separate layer of identity verification that goes beyond the password. Instead of putting all of your security on the shoulders of a single 12-20 character phrase, MFA allows you to implement additional layers such as:
- Additional phrases or PINs – These are secondary layers of phrases or numbers that the user needs to input to confirm their identity.
- Secondary authentication – Most common is the use of a secondary physical device to confirm identity. Mobile authentication via a separate app or SMS text message or delivery of a one-time password to the user’s email can help to further verify log-in attempts.
- Biometric verification – We’re already starting to see this is in mobile devices and laptops that have fingerprint readers, facial recognition, and other biometric verification elements to ensure the identity of the users.
Combined with SSO, or even independent of it, MFA can detect other factors related to a login attempt. If someone is attempting to login to a system from a new location, or through a secondary device that has not been used for authentication before, the system can recognize that and respond accordingly. This also allows for passwords to be saved to limit the need for authentication every time someone accesses an account on the same device from the same location.
The Future of Passwords is in Motion
Account security in large organizations is more important than ever. With millions of small hacks and the vast majority of breaches relating to password security and user error, this is the single most effective way to improve security throughout the enterprise. For those still using passwords as the primary means by which accounts are protected, SSO and MFA offer an effective means by which to ensure account security.
Learn more about Bedroc’s approach to systems and identity services in our eBook about best practices and process improvements to enable better security.