More than half of all data breaches happen because of weak passwords.
Bad passwords are a headache for any system administrator whose users are allowed to modify or change them. At the same time, weak password management is a pain for the company as a whole, since malefactors are on a constant lookout for weaknesses they can breach. And, while you might be sure that your passwords are bulletproof and your management system is unbreachable, a single password stored on a desk or found due to an exploit can be the reason for costly downtime for your company. That said, even if you are sure that your passwords are strong and the system is strong, you should check whether your passwords have been compromised and whether your users understand the very basics of IT security.
In this guide, we will tell you everything you need to know about password security and management, starting from how you actually know that your passwords have been compromised, up to tips and tricks to make your passwords bulletproof.
How to Know Your Credentials Were Compromised
As we've already said, you cannot be sure of the security of your passwords, unless you perform a security audit from time to time. Here are the best tips for such an audit:
- Log your network activity and check it. The most obvious sign that your passwords are breached is that you see users logging in from unusual geographical locations or at an unusual time. For example, if you know that Steven has just left the workplace and will be back again tomorrow but, at the same time, you see that he's logging in from the south of China at 3 in the morning. Thus, it's probably not Steven. The best thing to do in such a case would be to change the compromised password and login and ban the range of suspicious IP addresses. If the login attempt was successful, there are chances that your network is under attack. In this case, you should isolate it and run a full security check for any ransomware or other virus activity.
- Login attempts with outdated credentials. Sometimes users can forget that they have new login information and try to enter the network using old credentials. But, oftentimes, such activity means that your passwords have leaked and the malefactors are trying to gather access to your system by rotating different sets of credentials.
- One of your solution vendors was breached. Every so often, a big vendor's database is breached, resulting in hundreds of thousands, if not millions, of stolen user records. So you should carefully monitor news about vendor breaches. If your vendor's data is leaked, it's time to change your credentials in that app or platform.
- Suspicious activity. You or your users may notice sent emails that were not supposed to be sent. That is a clear sign that someone is inside your network.
- Have I Been Pwned? This website provides information on emails or phone numbers that were lost due to data breaches. It stores over 11 billion records. So, it's a good idea to add that website to your bookmarks in order to check your domains every so often.
How to Ensure Password Strength
The password should be strong enough to successfully protect you against any type of brute-force attack. Here is a recipe for a good password:
- Has 8 characters or more;
- Includes upper and lower case;
- Includes numbers and special characters.
And here are a couple of things you should not do, as a rule, when creating any password:
- Do not use a word or a phrase;
- Do not use a name, address, login, website name, etc.;
- Do not use misspelled words.
Remember that you should stick to all these rules to be sure that your password is strong. Here are a couple of examples of good passwords:
- 1e&awY90*!28nJ}lLqW
- dGE(4nwlVYsw@2
- y0Ur4@w!ZaaR!)h*rR\/
Quick tip – any modern browser can help you generate a secure password. Also, there are a number of tools online that will generate you a password of a set length and characteristics.
Top Password Protection Tips
The passwords should be not only strong, but also well protected. To be sure that your password as an entity stays in a safe place, you should use a password manager. That tool typically allows you to securely store, share, and modify your passwords. You can even set up your tool in such a way that your users won't even know what their passwords are, once the protection tool is installed on their devices.
Secondly, in the modern-day security space, even a protected password is not considered safe unless you use a second authentication method. For example, before entering an application or a system you will get a verification push or any other type of message on your personal device. That might seem cumbersome, but another 20 seconds spent during login can save you days spent on recovery after a successful attack.
Further reading Two-Factor Authentication: Solutions, Methods, Best Practices
Password Mistakes You Should Be Aware Of
Sometimes, good examples will not be of great help when you need to deal with your users. They tend to find the most unusual ways to interfere with your perfect password protection strategy. If you notice those patterns, you should immediately let your users know that such behavior typically leads to data breaches or other serious consequences.
Here is a list of such patterns and mistakes:
- Storing passwords in public. Here, “public” stands for any unprotected place, either physical or virtual, where your users might store their passwords – a sticky note on the desk, a spreadsheet, a reminder in an email, etc.
- Password sharing. Oftentimes, you just have to share a password. Think of a policy that will involve your password manager, or other encrypted ways to share data.
- Obvious password hints. Sometimes your users will create password hints that either duplicate the password itself or make it easy to deduce. That's really amusing and very dangerous.
- Saving passwords on public devices. It might turn out that one of your users needs to enter their email while on vacation. This should not be allowed by the corporate security policy, since there's no way of protecting an unfamiliar browser on some random PC.
Don't Trust. Verify
Even if you have a perfect password policy and employ great and secure tools at work, you should provide your users with security training from time to time. No matter what, they will find ways to breach your policies and be unprotected – not always to harm the company, but sometimes out of sheer laziness and to make things easier for themselves.