Weak and compromised passwords are one of the top ways that users, systems, and data are compromised. Think of your online accounts and how much damage a criminal could do to you with access to them. Think about the damage an attacker could do with an administrator account on your network before you become the latest victim of ransomware.
In the meantime, users and businesses are compromised every day because of weak and breached passwords. You hear about password breaches all the time. You can find out if your credentials have been affected by a password breach by checking: https://haveibeenpwned.com/
‘Have I been pwned’ is a site that collects the data from such breaches to allow users to find out if they are affected. At the end of 2019, the total number of compromised accounts in the HIBP database was more than 9 billion, 5,081,613,319 of them in the 10 largest breaches.
Attackers will take the credentials stolen from one service and then use them to attempt to log into other services. This is called credential stuffing, and the consequences can be severe. Do you reuse the same username (probably your email address) and password on more than one site?
Better security measures than passwords are becoming available, like two-factor authentication (2FA), but these approaches have their own problems and they currently don’t work with every site that users may need to log into. So, as a practical matter, most organizations, will be stuck with passwords for some time.
The question then, is what is the most secure—or least insecure, if you prefer—way to use passwords? The answer is to follow best practices, and the only practical way to follow best practices is to use a password manager.
Password best practice
- Choose passwords that would be difficult for others to guess and then don’t update them regularly. A strong password should contain a mix of upper- and lower-case letters, numbers and symbols.
- If users choose strong passwords, then so long as they’re not compromised there is no need to change them. This approach works best when used with a password manager.
- Making password management a chore is a guaranteed way to encourage staff to take shortcuts with passwords and potentially use the same password over and over or write them down. Don’t make password management any more of a hassle than it needs to be.
- Use a password manager like LastPass or RoboForm to simplify the management and administration of passwords. Both LastPass and Roboform have a free product offering which is quite capable.
- Passwords should not relate to a family member or some other personal fact even if you think no one would know it.
- Secure passwords don’t have to be something like “aldskfj83n*^)##”. This password isn’t as secure to brute-force attack as the much easier to remember “roof14skyred*car”.
- Check the strength of passwords at https://howsecureismypassword.net/ A secure password that can be remembered is particularly important if it’s a “key” password, such as the master password for LastPass, or your windows logon.
- Use a different password for every account/profile – that way if a password is compromised only one account / profile / service is affected – not all.
- Don’t share your passwords with anyone
Password Manager – Multi-user licensing
Password managers began as and still are largely a one-user purchase. But if you are responsible for the security of multiple users within an organisation, you should consider an option that offers some management capability and a volume discount. Many password manager providers have versions for teams and enterprises.
The main team feature these products provide is the ability to share login information with other users. They probably also allow an administrator to manage users. The administrator may be able to onboard new users, centrally manage shared items and who gets access to them, authorize and deauthorize devices, control access to features in the password manager, and more.
Failed Login Attempt Monitoring
Many Windows applications are susceptible to brute-force password hacking attempts (i.e. trying to identify the user’s password by repeatedly attempting to authenticate with different passwords).
However applications that use a Web portal for authentication frequently do not lock out a user account after a certain number of failed login attempts.
For your on-premise servers, implement failed login attempt monitoring to address this security risk.