92% of UK businesses experienced a cyberattack in the last 12 months

(Keeper 2021 UK Cybersecurity Census)

In this age of hacking and cyber-terrorism, your company's data is a target. And it doesn't take much for a hacker to break into a network and wreak havoc. The stakes are high. What do you need to know about password security?

This blog post will cover (almost) everything that those with responsibility for IT should know about passwords - from the basics to the latest trends in protection. We'll give you all the information necessary so that you can make informed decisions when it comes to protecting your company's assets from hackers and other threats.

While this guide is aimed at those responsible for an organisation’s IT security it’ll hopefully be useful to anyone interested in password security or those just trying to understand why so much emphasis is put on their company’s IT security policy.

23,000,000 account-holders in the UK use the password “123456”

(Nord Pass, 2020)

Why password security is important

65% of UK businesses relaxed their cybersecurity polices during the pandemic

(Keeper 2021 UK Cybersecurity Census)

Hopefully this will be pretty obvious so I won’t go on about it, but it can’t hurt to briefly run through it again…

Passwords have been with us for a very long time and will likely be with us for quite a while longer. Despite their obvious flaws, they’re still ubiquitous.

Passwords and usernames/email addresses (credentials) are often the first line of defence between your organisation’s sensitive data and the army of cyber-criminals trying to access it.

Gaining access to precious corporate data using credentials found via social engineering (mechanisms such as phishing and smishing) is still the most common cause of data breaches.

The risks to your organisation of a data breach are not only related to the sensitivity of your data were it to get into the wrong hands. With the rise of ransomware, you also need to consider the implications of losing access to your own data.

Weak passwords and poor password security can effectively leave the door open to cyber-criminals so if IT security is your responsibility you can’t really afford to ignore it! It’s also one of the simplest things to fix in the often highly complex world of IT security.

It takes less than a second to crack 8 of the top 10 most used passwords

(Nord Pass, 2020)

How to improve password security

29% of adults worldwide rotate between 5 and 10 different passwords

(Proofpoint, 2020)

There are lots of ways to increase the password security of your organisation. Some of them require quite a bit of technical knowledge to implement but there are also some pretty simple ones too. Most of them are relatively cheap to implement, at least compared to the potential cost of a security breach!

What does a strong password look like?

A relatively fundamental thing is to first understand what makes a good password.

A strong password follows a couple of simple rules. It should:

1. Be of a sensible minimum length
2. Contain a mix of lowercase and uppercase letters, numbers and symbols

A password of 15 numbers can be cracked in around 6 hours.

(howsecureismypassword.net)

A minimum of 16 characters is usually recommended for a secure password which should take at least 2 days to crack in a brute-force attack. If it contains a mix of upper and lower-case letters, numbers and symbols it’ll take up to 1 trillion years!

Ideally the restrictions placed on a password should be flexible enough to accommodate different types of passwords. For example, some people may find a password made up of a few random words easier to remember than a much shorter string of random characters. If a password is of significant length, the use of special characters becomes less relevant. An 18-character password of just lower-case letters will take around 23 million years to crack!

All of this may not seem relevant if you are going to implement a password manager but remember each user will still need a secure master password.

Data from https://howsecureismypassword.net/

“password” is the 4th most common password used

(Nord Pass 2020)

Password managers

16% of adults worldwide use the same one or two passwords for all accounts

(Proofpoint, 2020)

In case you’re not aware, password managers are SaaS products that manage the ever-increasing list of credentials most of us use in our working (and personal) lives.

When it comes to password managers, something is better than nothing. A basic password manager will mean that you don’t have to remember your credentials and in-built password generators can easily generate new secure passwords when required.

These days they will also often tell you if your credentials have been leaked in a security breach and prompt you to change the related password.

There are plenty of password management options out there, but they generally fall into two categories:

In-browser password managers

Although browser-based password managers are improving, they generally don’t have a lot of the really useful features of many 3rd party products.

They often have significant disadvantages over 3rd party products such as the fact that they lock you in to a particular browser. If you regularly switch browsers, for example if you use Chrome on Windows and Safari on your iPhone this kind of solution probably won’t work for you.

There are other features that you usually miss out on when using a browser-based password manager which are covered in the next section:

3rd party password managers

• Cross platform and browser

If you're going to use a password manager you really want one you can use across all your devices. It's a pain finding you've generated a highly secure, reandom password, saved it to your password manager but can't access it on your phone!

• Ability to share passwords

Despite it generally being bad practice, it may be necessary to have some passwords which are shared. For instance passwords for emergency accounts. Password managers often come with the ability to share credentials between accounts, often without even revealing the password to the person you're sharing it with, maintaining security.

• Auditable

Many of these platforms allow managers to audit their team's use of the software, seeing if they're reusing passwords, have insecure passwords, or even if they're not using the software at all!

• Enforcement policies/rules

Many rules can be specified which maintain a level of security. For example, prohibiting exporting data, or the reuse of master passwords, or requiring a unique master password.

• Share credentials across sites

Credentials that are used across multiple sites can have their credentials easily shared without creating duplicates.

• Add notes

It may be useful to be able to add notes to accounts, for instance if an account requires a password which needs to be quoted over the phone.

• One-click change of credentials

Some password managers allow the credentials for specific sites to be changed with a single click.

NOTE: It’s worth mentioning that a password manager is only as secure as the master password used to access it. So, it’s really important that if your organisation uses a password management solution you set out some clear rules around master passwords, or even better, setup rules to enforce those policies.

These should include policies like:

• No re-use of master passwords
• Master passwords shouldn’t be written down
• Master passwords should have minimum complexity rules making them more difficult to crack
• MFA should be mandatory on password management tools

In a recent Microsoft Twitter poll, one in five people reported they would rather accidentally “reply all”—which can be monumentally embarrassing—than reset a password.

Multi-factor authentication (MFA)

20% of remote workers in the UK use their work email and password to log into consumer websites and apps

(Proofpoint, 2020)

This is the second most important step in securing your users’ logins and is usually pretty simple to implement. It’s also sometimes referred to as two-factor authentication (2FA).

The way this works is by requiring at least two authentication mechanisms (factors) before granting access to a resource. This means the user must be in possession of not just the relevant credentials, but also another piece of information which is not easily accessed.

Username/password credentials are usually the first factor and the 2nd factor can be one of a few things. The most common 2nd factors are:

• An SMS message with a unique code
• An email with a unique code
• A unique code generated by an app (usually on a mobile phone)
• A USB or NFC hardware device the user has access to
• Biometric verification from a mobile device (e.g. facial recognition or a fingerprint scanner)

A lot of security-conscious software will have MFA built-in these days. In some cases it’ll just be a matter of turning on this feature. However, it’s becoming more common to have this feature turned on by default, or even mandatory given how much additional protection it can give.

MFA setup can be more complicated depending upon the types of factor supported. Some users can also find It a bit of a pain as it can require registering a separate device and can often increase the time it takes to login to a system. However, given the significantly increased level of security and peace of mind MFA can give to those with responsibility for an organisation’s security it’s often worth the trouble.

Single sign-on

88% of consumers across the world use the same password for more than one account

(Auth0, 2021)

Single sign-on (SSO) enables your users to use a single password to access multiple accounts.

The primary benefit of SSO to your users is that the number of credentials they need is reduced. There are also multiple benefits to your organisation of this approach.

The idea is that you allow a single provider to manage the login for multiple systems. For example, if you use Microsoft Active Directory (AD), you can use this solution to grant your users access to other corporate resources. These can be any corporate resources that support SSO, such as Google, Apple, Salesforce, Zoom and plenty of others.

This takes a bit of setting up but once you get the hang of it it’s not too difficult, and importantly it saves your users hassle and increases security.

An additional benefit of SSO is that if your user forgets their password, or leaves, IT have a single place to reset the password or disable the user account.

Having a single mechanism of authentication for multiple systems also makes user onboarding and offboarding significantly simpler for obvious reasons.

Passwordless authentication

“123456” is the most common password in use

(Nord Pass 2020)

The death of the password has been predicted from as far back as 2004 by Bill Gates, and it’s been predicted many times by many others since then.

However, it’s not until relatively recently that major authentication providers have embraced passwordless technologies.

Passwordless login is similar to MFA in the sense that it uses multiple factors to authenticate a user. The key difference is that it doesn’t require a password. It usually uses public-key cryptography to identify and authenticate a user. Basically, this means that the user provides their public identifier (email address, phone number, or username) and at least one other factor (containing their private key) to identify and authenticate them.

Significantly, in March 2021 Microsoft made passwordless sign-in generally available to commercial users. They have since (September 2021) made passwordless sign-in generally available to all users.

This may well signal the beginning of the end of the road for passwords, we’ll have to wait and see! Either way, passwords will certainly be with us for a while longer.

64% of UK organisations that have experienced a cyberattack in the last 12 months have between 1 and 100 employees

(Keeper 2021 UK Cybersecurity Census)