Many security and IT professionals consider passwords to be the weakest link in their company’s defenses – and that’s for a good reason. The lack of strong passwords, a failure to change (or rotate) passwords on a regular basis, human error and the most significant flaw — password reuse — are among the main issues. Passwords are frequently the first line of defense. They are a defense for the endpoint – the workstation, laptop or smartphone where you start your workday. This is your first point of contact with your organization’s system and, if compromised, it is an attacker’s first point of entry as well. A compromised endpoint is the first step in an attack, so any flaw in its security defenses is serious.
Because of this, many companies are looking for a way to kill the password once and for all. Google just initiated a “passwordless” pilot program that provides remote access to their employees. Microsoft already declared “an end to the era of the password” at its 2018 Ignite Conference. Yahoo tried to kill the password back in 2015 with their “Account key,” which was a push feature.
Think about the most common types of attacks we see today – sophisticated phishing and spear phishing attacks, brute force attacks, social engineering and malware exfiltration attacks. They all have one thing in common. Every single one of these attacks is trying to steal someone’s password – more specifically, privileged credentials.
It’s not surprising that there have been any number of attempts to replace the password and a few of these – such as biometrics-based approaches like facial recognition and fingerprint scans – have seen some adoption. While these innovative alternatives will be adopted over time, it is going to take some time before we reach a passwordless nirvana.
Here are some of best practices for IT admins and security teams to make sure end-user passwords are not compromised in the meantime.
Fact: Every single character you add in your password increases the difficulty for hackers to crack it.
Use a strong password – Strong passwords contain several different types of characters and, consequently, require more effort and time for an attacker to hack. Passwords should contain at least 10 characters and include a combination of character types, such as commas, percent signs and parentheses, as well as upper-case and lower-case letters and numbers.
Fact: More than half of IT professionals reuse passwords across five or more accounts.1
Use a unique password for each service and account – If you re-use passwords on multiple sites or accounts, even if your password is complex enough and long, all it will take is for one of your accounts to be compromised to make all of your other accounts vulnerable.
Fact: Multi-factor authentication provides an extra layer of security that is hard for attackers to crack.
Use multi-factor authentication – This means that multiple types of authentication – not just a password – are required to unlock the account. The first part of the authentication process requires something the user already knows, like a password. The other part of the authentication process involves something the user doesn’t already know, such as a code sent to the mobile phone by authentication software or created by a designated application on the phone.
This code becomes the other half of your login authentication. Now, even if attackers manage to get your password, without the other part of the authentication, they still don’t have access to your account.
Fact: Rotating local admin passwords reduces risk at the endpoints
Address the risk of local admin accounts on workstations-Weak passwords and end users with local admin rights on their workstations represent a significant security risk for organizations. Many attacks start on endpoints where attackers initially gain access through a phishing attack or when an employee inadvertently downloads and executes a malicious application.
In many cases, an attacker’s aim is to compromise the privileged credentials that reside on workstations. Privileged credentials – such as admin rights – can allow attackers to move laterally until they can secure credentials to system with sensitive PII or intellectual property. To reduce this risk, as a first step, organizations should rotate local admin credentials (including the OS build in local account) on a periodic basis as an important security measure. Over time, organizations should consider removing local admin rights from end user workstations altogether to further reduce the risk of attacks from the endpoint.
1Ponemon Institute, “The 2019 State of Password and Authentication Security Behaviors Report,” January 2019.