{"id":14261,"date":"2021-03-15T11:00:00","date_gmt":"2021-03-15T15:00:00","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=14261"},"modified":"2024-04-16T13:15:24","modified_gmt":"2024-04-16T17:15:24","slug":"password-security-what-your-organization-needs-to-know","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/password-security-what-your-organization-needs-to-know\/","title":{"rendered":"Password Security: What Your Organization Needs to Know"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"h-verizon-s-2020-dbir-report-indicates-that-more-than-80-of-hacking-related-breaches-involved-brute-force-or-lost-stolen-credentials-here-s-what-to-know-to-strengthen-your-password-security\"><a href=\"https:\/\/enterprise.verizon.com\/resources\/reports\/dbir\/\">Verizon\u2019s 2020 DBIR report<\/a> indicates that more than 80% of hacking-related breaches involved brute force or lost\/stolen credentials \u2014 here\u2019s what to know to strengthen your password security<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Password security is a must for everyone \u2014 businesses, organizations, and private individuals alike. Yes, I know \u2014 I can already hear the \u201cduh\u201d resounding in your head. But the reason we\u2019re taking the time to write an entire article that\u2019s dedicated to password security is because:<\/p>\n\n\n\n<ol class=\"wp-block-list\" style=\"list-style-type:1\">\n<li><strong>Not enough people take password security seriously.<\/strong> You probably can think of a few people who match this description off the top of your head.<\/li>\n\n\n\n<li><strong>Many people don\u2019t know what constitutes a strong password.<\/strong> There are a lot of different guidelines regarding what\u2019s a good password versus a bad password. We\u2019re going to clarify that for you.<\/li>\n\n\n\n<li><strong>There is more to effective password security than just creating strong passwords.<\/strong> Yes, it\u2019s true. Using strong passwords is only one part of the equation. But there are several other important considerations and things you need to do to increase your organization\u2019s password security effectiveness.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">So, what is password security? What do strong and weak passwords look like? What are the risks associated with not having strong password security for your organization? And what other considerations are there for password security aside from creating strong passwords?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We\u2019ll answer these questions and also go over some quick password security tips as well at the end (for those of you who don\u2019t want to read the entire article).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s hash it out.<span id=\"newline\"><\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-is-password-security\">What Is Password Security?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Password security is the combination of policies, processes, and technologies that make passwords and authentication methods more secure. It\u2019s all about knowing how to protect passwords. A password itself is a type of memorized secret authenticator. Basically, it\u2019s something that only you should know that allows you to authenticate yourself to third parties. Other examples of authenticators include cryptographic devices, one-time passwords or PINs, and key access cards.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But what constitutes strong password security? For a password to be considered secure, it means that it must:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prevent unauthorized users from gaining access to protected systems, information, and data.<\/li>\n\n\n\n<li>Have sufficient complexity so that it\u2019s impractical for someone else to guess or crack.<\/li>\n\n\n\n<li>Be memorable enough for you not to forget (after all, what good is a password if you have to reset it continuously?) or use a password manager (which, of course, has its own risks).<\/li>\n\n\n\n<li>Be something that you keep secret and don\u2019t share with anyone else.<\/li>\n\n\n\n<li>Must be stored securely and in a way that prevents compromise.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Although passwords weren\u2019t introduced until the 1960s, passwords have become central to account security and overall cybersecurity for organizations and users alike. But password security accounts for more than just the password itself. It also must speak to the policies, procedures, technologies, and training that protect those passwords and the access they provide. For example:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Creating and implementing a computer use policy and\/or a BYOD policy that indicates what accounts may be accessed on which devices, requires the use of a VPN when working remotely or connecting to public Wi-Fi, etc.<\/li>\n\n\n\n<li>Creating and enforcing a password policy that addresses specific password creation, storage, and maintenance requirements.<\/li>\n\n\n\n<li>Providing training and guidance to employees to help them understand the importance of creating a secure password and following password management best practices.<\/li>\n<\/ul>\n\n\n<span style=\"--tl-form-height-m:966.781px;--tl-form-height-t:989px;--tl-form-height-d:989px;\" class=\"tl-placeholder-f-type-shortcode_12768 tl-preload-form\"><span><\/span><\/span>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-why-is-password-security-important\">Why Is Password Security Important?<\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"514\" height=\"541\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/03\/password-security-human-error-threats-1.png\" alt=\"password security graphic that talks about the percentage of IDC survey respondents who say human errors are the leading threats to organizations. Features three illustrations of users on their computers, 2 out of 3 of which are colored in an alarming color\" class=\"wp-image-14267\" style=\"width:355px;height:374px\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/03\/password-security-human-error-threats-1.png 514w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/03\/password-security-human-error-threats-1-285x300.png 285w\" sizes=\"auto, (max-width: 514px) 100vw, 514px\" \/><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">Human error is a big issue, and as long as companies employ humans, that issue isn\u2019t going away any time soon. Users are human, and humans make mistakes. (No matter what your mom told you growing up, no one is perfect.) And data from an IDC report underscores that concern.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Data from <a href=\"https:\/\/www.globenewswire.com\/news-release\/2019\/06\/05\/1864469\/0\/en\/SolarWinds-Finds-Insider-Threats-Cited-as-Leading-Cause-of-Security-Incidents.html\">an IDC report<\/a> shows that nearly two-thirds (62%) of their IT- and non-IT 2019 survey respondents indicate that user errors are the leading cyber threat to their businesses. And those employees who posed the greatest level of concern were your everyday, run-of-the-mill users \u2014 not the executives or those with any unique or special access privileges. &nbsp;&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If users can\u2019t remember their passwords, this results in them having to reset their passwords. The estimated costs that are associated with resetting passwords are significant at scale. Forrester Research shared years ago that the costs associated with an individual password reset come to about $70. Now, multiply that by the number of requested password resets your IT team receives per year.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Sure, you can potentially reduce costs by automating the password reset process. But you\u2019ll still run into the issues of users creating simple passwords and sharing passwords.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">What are some other key considerations when it comes to the importance of password security?<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-regulatory-compliance-concerns\">Regulatory Compliance Concerns<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Compliance is an area that should be on the radar of all applicable organizations. There are multiple regulations and regulatory bodies requiring organizations to meet specific standards for identity authentication and data protection. There are also other organizations that set standards and provide guidance that companies and other organizations can follow. These include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The National Institute of Standards and Technologies (NIST) \u2014 a set of standards\/guidelines that don\u2019t require compliance.<\/li>\n\n\n\n<li>Payment Card Industry Data Security Standards (PCI DSS) \u2014 regulations that require compliance.<\/li>\n\n\n\n<li>General Data Protection Regulation (GDPR) \u2014 legislation that requires compliance.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Non-compliance issues can have lots of effects on a business or organization, ranging from operational impacts to financial ones. Let\u2019s quickly go over some of these considerations. &nbsp;&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-nist\">NIST<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Okay, although NIST\u2019s guidelines are requirements for U.S. federal government-affiliated agencies and entities, they provide great recommendations and standards for other organizations to follow as well when it comes to securely storing password-related data. (No compliance required for non-fed agencies.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s consider the identity guidelines NIST published in their special publication <a href=\"https:\/\/pages.nist.gov\/800-63-3\/sp800-63b.html\">SP 800-63B Digital Identity Guidelines<\/a>. In section 5.1.1.2, which is on the topic of protecting and storing memorized secret verifiers (i.e., passwords), they recommend allowing users to paste passwords. The practice of <a href=\"https:\/\/www.thesslstore.com\/blog\/nist-password-pasting\/\">password pasting<\/a> was perceived to be a bad thing but many in the cybersecurity community viewed it as a good thing because it encouraged users to use longer passwords that are harder to remember. (Whereas if you disable password pasting, people are more likely to use shorter passwords that are easier to type.) <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In that same section, NIST also shares the following guidance regarding how passwords are stored:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><em>\u201cVerifiers SHALL store memorized secrets in a form that is resistant to offline attacks. Memorized secrets SHALL be salted and hashed using a suitable one-way key derivation function. Key derivation functions take a password, a salt, and a cost factor as inputs then generate a password hash. Their purpose is to make each password guessing trial by an attacker who has obtained a password hash file expensive and therefore the cost of a guessing attack high or prohibitive.\u201d<\/em><\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">A hash is a one-way cryptographic function that\u2019s essentially irreversible. By adding a unique <a href=\"https:\/\/www.thesslstore.com\/blog\/difference-encryption-hashing-salting\/\">salt<\/a> to a password prior to hashing it, what you accomplish is creating a completely unique hash value for every password \u2014 even if users are using the same password.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s say you have two users using the same password <strong>SpockR0ck$KirksSocks.<\/strong> (Note: don\u2019t actually use this as your password. I\u2019m just giving you an example here!) If you were to hash that password for user one, then you\u2019d wind up with an identical hash digest (hash value) for user two. The way to ensure that doesn\u2019t happen is to add a salt, which is a random and unique value. For example, a salt could be something like <strong>uSEt3hF0rceHaRRy<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s take a look at how the process works for adding a salt to your password prior to hashing it in the following infographic: &nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"198\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/03\/password-security-salt-password-hashing-1024x198.png\" alt=\"Password security infographic that serves as a diagram to showcase where salting fits into the password hashing process. \" class=\"wp-image-14265\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/03\/password-security-salt-password-hashing-1024x198.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/03\/password-security-salt-password-hashing-300x58.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/03\/password-security-salt-password-hashing-768x148.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/03\/password-security-salt-password-hashing.png 1353w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">A fun password security illustration that breaks down where salting comes into play in the password hashing process.<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">So, the key takeaway here is that salting a password prior to hashing it makes cracking the password hash too costly (i.e., impractical) for cybercriminals to achieve at scale. So, this means that hash tables and <a href=\"https:\/\/www.thesslstore.com\/blog\/rainbow-tables-a-path-to-password-gold-for-cybercriminals\/\">rainbow table attacks<\/a> don\u2019t work on salted passwords.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Cool, good to know. And we\u2019ll speak more to hashing and salting a little later in this article. But for now, let\u2019s continue on with our list of compliance-related considerations.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-pci-dss\">PCI DSS<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s consider the <a href=\"https:\/\/www.pcisecuritystandards.org\/documents\/PCI_DSS_v3-2-1.pdf\">Payment Card Industry Data Security Standard<\/a>, or what\u2019s known as PCI DSS. This regulation is outlined by the <a href=\"https:\/\/www.pcisecuritystandards.org\/pci_security\/\">PCI Security Standards Council<\/a>, the founding members of which include the five major credit card companies (VISA, Mastercard, American Express, Discover, and JCB International). If your organization accepts online credit card payments or handles payment card-related data, then heads up \u2014 this is for you.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">PCI DSS has a total of 12 requirements that organizations and businesses that handle this type of data must adhere to. And <a href=\"https:\/\/www.thesslstore.com\/blog\/demystifying-pci-dss-compliance\/\">PCI DSS compliance<\/a> applies to any businesses globally that handle this type of data \u2014 it\u2019s not just applicable to U.S. companies.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If your organization is non-compliant with any of the PCI data security requirements, then you could face significant fees. However, those fees won\u2019t come from the council itself \u2014 instead, they\u2019ll be imposed by the card companies themselves. And we\u2019re not talking chump change here, either. PCI non-compliance can result in fines ranging from $5,000 to all the way up to $100,000 <em>per month<\/em> \u2014 and each individual credit card company could impose those penalties. So, the overall total may actually be higher!<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A $5,000 penalty for a large corporation might seem like very little, but it could make or break small businesses. However, the specific amount of a penalty depends on a few key factors, including your organization&#8217;s size and the severity of your non-compliance. So, a large corporation would face much larger penalties than mom-and-pop businesses that are non-compliant. &nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Wondering why we\u2019re talking about payment card-related data in an article on password security? Here\u2019s why. PCI DSS requirement 8 focuses on identity and authentication. As you can imagine, this section speaks to password security.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The most recent version of the data security standard (version 3.2.1) says that the effectiveness of passwords boils down to an authentication system\u2019s design and implementation. In particular, \u201chow frequently password attempts can be made by an attacker, and the security methods to protect user passwords at the point of entry, during transmission, and while in storage.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The Payment Card Industry Data Security Standard (PCI DSS) 8.2.1. says the following:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><em>\u201cUsing strong cryptography, render all authentication credentials (such as passwords\/phrases) unreadable during transmission and storage on all system components.\u201d<\/em><\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">This speaks to the importance of using cryptographic processes to secure data and following password storage best practices. Of course, we\u2019ll speak more to that a bit later.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-gdpr\">GDPR<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Alright, let\u2019s jump across the pond for a few moments and take a look at the European Union\u2019s General Data Protection Regulation.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Passwords aren\u2019t specifically mentioned in the <a href=\"https:\/\/www.thesslstore.com\/blog\/ccpa-vs-gdpr-what-you-need-to-know-about-these-data-privacy-laws\/\">GDPR<\/a>. But something that is mentioned for data processors in <a href=\"https:\/\/gdpr-info.eu\/art-28-gdpr\/\">GDPR article 28<\/a> is that they need to demonstrate \u201cappropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.\u201d Likewise, <a href=\"https:\/\/gdpr-info.eu\/art-25-gdpr\/\">article 25<\/a> specifies that the controller (the person who decides what data is processed and how) must also implement such safeguards so as to protect the rights of the data subject.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So, to translate, this statement means that organizations involved in the processing of personal data of covered individuals must have certain security measures in place to protect the data they handle. Of course, implementing strong password policies and procedures would be a no-brainer for inclusion in \u201cappropriate technical and organizational measures.\u201d After all, using strong and unique passwords is considered a cybersecurity industry best practice.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Non-compliance with GDPR\u2019s requirements may result in hefty <a href=\"https:\/\/gdpr-info.eu\/art-83-gdpr\/\">administrative fines<\/a>. For example, <a href=\"https:\/\/gdpr-info.eu\/art-83-gdpr\/\">infringements of such provisions<\/a> could result in \u201cfines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.\u201d<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-other-cost-considerations\">Other Cost Considerations<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">We mentioned earlier that insecure passwords and poor password management practices are associated with higher risks of <a href=\"https:\/\/www.thesslstore.com\/blog\/10-types-of-phishing-attacks-and-phishing-scams\/\">phishing attacks<\/a> and data breaches. Let\u2019s just give you a few quick examples of what we meant by that:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>The adjusted average cost of BEC\/EAC surpasses $1.7 billion.<\/strong> The <a href=\"https:\/\/www.ic3.gov\/Media\/PDF\/AnnualReport\/2019_IC3Report.pdf\">FBI\u2019s Internet Crime Complaint Center<\/a> (IC3) shared in their 2019 report that the estimated average adjusted costs relating to business email compromise\/email account compromise is $1,776,549,688. To put that in perspective, that\u2019s more than the $1.5 billion in estimated costs that <a href=\"https:\/\/www.ncdc.noaa.gov\/billions\/events.pdf\">NOAA attributes to Tropical Storm Eta<\/a> (a storm that affected residents in multiple states in the southeastern U.S.) in November 2020. Please, do yourself a favor and implement <a href=\"https:\/\/www.thesslstore.com\/blog\/6-email-security-best-practices-to-keep-your-business-safe-in-2019\/\">email security best practices<\/a> within your organization now.<\/li>\n\n\n\n<li><strong>The average cost of a data breach in the U.S. is $8.64 million.<\/strong> IBM and the Ponemon Institute reported in their <a href=\"https:\/\/www.ibm.com\/security\/data-breach\">2020 Cost of a Data Breach Report<\/a> that the U.S. leads the rest of the world in terms of having the highest average costs stemming from data breaches. Definitely not the kind of \u201cleading\u201d we like to do here! Considering we already mentioned that 80% of hacking-related breaches involved brute force or lost\/stolen credentials (courtesy of Verizon\u2019s 2020 DBIR report), it\u2019s easy to recognize that poor password security is an obvious contributing factor that leads to those steep costs.<\/li>\n\n\n\n<li><strong>The compromise of Twitter\u2019s top verified user accounts in July 2020 was linked to credential compromise.<\/strong> A <a href=\"https:\/\/blog.twitter.com\/en_us\/topics\/company\/2020\/an-update-on-our-security-incident.html\">Twitter employee was the target of a social engineering attack<\/a> that led to their credentials being used to target and compromise 130 verified accounts (including those owned by icons like Elon Musk, Barack Obama, Joe Biden, and Bill Gates). The goal? To scam users with fake promises of Bitcoin. <a href=\"https:\/\/www.dfs.ny.gov\/Twitter_Report\">New York State\u2019s Department of Financial Services<\/a> (NY DFSS) estimates losses to victims as the result of this scam are $118,000 in Bitcoin. &nbsp;<\/li>\n<\/ul>\n\n\n<span style=\"--tl-form-height-m:140.667px;--tl-form-height-t:118.1042px;--tl-form-height-d:118.1042px;\" class=\"tl-placeholder-f-type-shortcode_12779 tl-preload-form\"><span><\/span><\/span>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-examples-of-weak-passwords\">Examples of Weak Passwords<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">It\u2019s true that bad passwords come in all shapes and sizes. But many of them tend to include a few common ingredients: commonly used words, typing patterns, common names (kids, significant others, etc.), dates of significance (such as birth dates and anniversaries), etc.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So, what are the most commonly used passwords? Here\u2019s a list of the world\u2019s 10 most commonly used passwords, <a href=\"https:\/\/cybernews.com\/best-password-managers\/most-common-passwords\/\">according to CyberNews<\/a>:<\/p>\n\n\n\n<ol class=\"wp-block-list\" style=\"list-style-type:1\">\n<li>123456<\/li>\n\n\n\n<li>123456789<\/li>\n\n\n\n<li>qwerty<\/li>\n\n\n\n<li>password<\/li>\n\n\n\n<li>12345<\/li>\n\n\n\n<li>qwerty123<\/li>\n\n\n\n<li>1q2w3e<\/li>\n\n\n\n<li>12345678<\/li>\n\n\n\n<li>111111<\/li>\n\n\n\n<li>1234567890<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">How not only pitiful but utterly terrifying is that list? It would maybe be a little understandable if this group was a list of passwords created by preschoolers. But this list is of the 10 most common passwords for users worldwide! (And, no doubt, the preschoolers\u2019 passwords would likely be more creative.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So, why are people using such basic and easy-to-guess passwords? Frankly, it boils down to people allowing convenience to outweigh security. It\u2019s a lot easier to remember a password like \u201c123456\u201d than it is to remember a more complex password like \u201cX89*2nkc_1m74WeF.\u201d But this is where making longer passphrases can be really useful. I\u2019m sure you\u2019d agree that creating and remembering a unique lengthy passphrase like \u201cSunshineFLOWERSBuildGreatScents\u201d is a lot easier than remembering \u201cX89*2nkc_1m74WeF\u201d while still being more secure than \u201c123456.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This is why using lengthy passphrases is the best of both worlds: it offers greater complexity that thwarts cybercriminals while still being easy enough for forgetful users to remember.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-5-components-of-strong-password-security\">5 Components of Strong Password Security<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">What are some of the key considerations of strong passwords that can help you avoid falling prey to <a href=\"https:\/\/www.thesslstore.com\/blog\/dont-let-these-password-cracking-attacks-catch-you-off-guard\/\">password cracking attacks<\/a>?<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-1-password-length-complexity\">1. Password Length &amp; Complexity<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Common knowledge indicates that passwords should be minimum of 12 characters, use uppercase and lowercase letters, and have some random numbers and special symbols thrown into the mix. But the long-accepted wisdom that complex passwords are more secure comes with an important little caveat: A complex password isn\u2019t useful if you can\u2019t remember it.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Of course, one option is to use a password manager. But there is risk associated with that depending on how well those password management organizations protect those passwords. You\u2019re essentially putting all of your eggs in one basket, which is fine so long as the organizations take the proper steps to protect your password data. (For example, password managers shouldn\u2019t store any of your password data on their servers (only password hashes) and all of your other data you share with them should be encrypted anyhow.) <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But if password management companies don\u2019t do what they\u2019re supposed to do on their end in terms of providing strong password security, it leaves your passwords \u2014 and you \u2014 at risk.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This is where the idea of passphrases comes into play. The FBI\u2019s resource <a href=\"https:\/\/www.fbi.gov\/investigate\/counterintelligence\/foreign-influence\/protected-voices\">Protected Voices<\/a> recommends the use of passphrases over traditional passwords. Here, the emphasis is on the length of passphrases that you\u2019ll remember instead of focusing more on the complexity of passwords you\u2019re virtually guaranteed to forget. They\u2019ve even taken to Twitter to address the issue of password length over complexity.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"669\" height=\"515\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/03\/fbi-tweet-password-security.png\" alt=\"A screenshot of an FBI Twitter post emphasizing passphrases over complex passwords.\" class=\"wp-image-14266\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/03\/fbi-tweet-password-security.png 669w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/03\/fbi-tweet-password-security-300x231.png 300w\" sizes=\"auto, (max-width: 669px) 100vw, 669px\" \/><figcaption class=\"wp-element-caption\"><a href=\"https:\/\/twitter.com\/FBI\/status\/1314581496074833921\">A screenshot from the FBI\u2019s official Twitter account<\/a> that talks about the importance of using long passphrases in lieu of complex passwords as part of password security efforts.<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">But what makes passphrases complicated enough that they\u2019re impractical for cybercriminals to crack?<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>They need to contain multiple words (ideally, at least four).<\/li>\n\n\n\n<li>The words should be uncommon (you can look up the most commonly used words on <a href=\"https:\/\/www.oxfordlearnersdictionaries.com\/us\/wordlists\/oxford3000-5000\">Oxford 3000 and 5000<\/a>).<\/li>\n\n\n\n<li>Avoid \u201cl33t\u201d spellings of words (those are easy for cyberriminals to figure out by replacing letters with common numbers and symbols, like \u201cH0use\u201d instead of \u201cHouse\u201d or \u201cG@m3r\u201d instead of \u201cGamer\u201d).<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Check out this great video from the YouTube channel Computerphile that talks about password complexity and length:<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"How to Choose a Password - Computerphile\" width=\"960\" height=\"540\" src=\"https:\/\/www.youtube.com\/embed\/3NjQ9b3pgIg?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-2-require-users-to-create-unique-passwords-for-every-account\">2. Require Users to Create Unique Passwords for Every Account<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">People love doing what\u2019s easy and reusing the same password over and over again is precisely that. As you know, though, recycling passwords is an obvious password security faux pas. But don\u2019t just tell people that they need to use unique passwords \u2014 actually <em>make them do it<\/em> by implementing unique password requirements.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If a user tries to create a new password that has X% of the same alphanumeric characters, both in the same order or in reverse, block the credential change from occurring. Also, make it part of your password security policy that users must create unique passwords for every account and never share them with anyone else.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-3-keep-passwords-secure\">3. Keep Passwords Secure<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">You can also recommend using an approved password manager to help them keep all of their passwords secure. The advantage of using a password manager is that:<\/p>\n\n\n\n<ol class=\"wp-block-list\" style=\"list-style-type:1\">\n<li>It allows you to have as complex a set of passwords as you want for all of your accounts, but<\/li>\n\n\n\n<li>You only have to remember a single password \u2014 or what\u2019s known as the master password.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Some people choose to keep password books. While this is better than using insecure or easy-to-guess passwords, it\u2019s only good if you have a way to keep that book secure. (Otherwise, it\u2019s still a major vulnerability.) This means that you want to keep is securely locked up when not in use, and you probably won\u2019t want to bring it with you if you spend a lot of time on-the-go. Heaven forbid you forget it or accidentally leave it somewhere!<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-4-using-common-password-lists-to-your-advantage\">4. Using Common Password Lists to Your Advantage<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Okay, so knowing that there are lists of compromised passwords available on the internet and the dark web (both for purchase and for free) really sucks. But the good news is that you can turn a negative into a positive by using those lists in a way that improves your organization\u2019s password security.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">You can use these lists as blacklists that your users cannot use when creating or updating their account passwords. It can also help you prevent password spraying attacks from being successful by preventing users from using passwords that can be found on common password lists or breached password lists.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-5-implementing-secure-password-storage-best-practices\">5. Implementing Secure Password Storage Best Practices<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">A critical bit of knowledge is that you should never, under any circumstances, save passwords in plaintext format. Not only is it a bad practice but it also leaves you vulnerable to cyber attacks.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">With this in mind, a password security best practice is to add a unique <a href=\"https:\/\/www.thesslstore.com\/blog\/difference-encryption-hashing-salting\/\">salt<\/a> to each password prior to hashing it. This way, every hash value is truly unique even if separate users are using the same password. And, again, salting your hash \u2014 I mean, before you hash \u2014 is an effective way to prevent brute force attacks and rainbow table attacks.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-there-s-an-alternative-to-traditional-password-security\">There\u2019s an Alternative to Traditional Password Security\u2026<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Okay, so there are a lot of things that go into having strong password security. But what if you could take one thing out of the equation that makes password security easy for users and more manageable for your IT security team? This is where passwordless security (i.e., passwordless authentication) comes into play.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Passwordless authentication<\/strong> is exactly what the name implies: it\u2019s security without the use of passwords. Choosing to implement passwordless security for your organization is more liberating than going commando for kilt wearers \u2014 it makes things easy-breezy for users but doesn\u2019t leave you at risk of accidental exposure. (We\u2019re talking about password exposure, of course \u2014 get your mind out of the gutter.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Now, there are a few ways you can go about rolling out passwordless authentication. One option is to use multi-factor authentication (MFA). The other is known as certificate-based authentication or PKI-based authentication.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-multi-factor-authentication-mfa\">Multi-Factor Authentication (MFA)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Multi-factor authentication offers advantages for businesses who want to make their authentication measures more secure. This type of mechanism requires you to provide two or more types of information:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Something you know (such as a password or PIN).<\/li>\n\n\n\n<li>Something you have (this could be a smartphone app, a CAC card, a key or token).<\/li>\n\n\n\n<li>Something you are (a biometric such as a fingerprint, retinal scan, facial scan or even a voice sample).<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">However, it\u2019s not bulletproof in terms of withstanding many attack methods that bad guys love to use. It\u2019s better than using nothing, right? Eh, that may be true. But the <a href=\"https:\/\/info.publicintelligence.net\/FBI-CircumventingMultiFactorAuthentication.pdf\">FBI warns<\/a> that cybercriminals use social engineering and technical methods to circumvent MFA protections.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But what other passwordless security options are there? One of the most effective ways to secure your account without the use of a traditional password is through the use of public key infrastructure. This is known as <a href=\"https:\/\/www.thesslstore.com\/blog\/put-your-risk-on-mute-using-pki-to-simplify-remote-workforce-security\/\">certificate-based authentication<\/a> or PKI-based authentication.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-certificate-based-authentication\">Certificate-Based Authentication<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">PKI-based authentication methods are more secure than traditional MFA methods. <a href=\"https:\/\/www.thesslstore.com\/blog\/what-is-pki-a-crash-course-on-public-key-infrastructure-pki\/\">Public key infrastructure<\/a> is the foundation of internet security; it\u2019s the framework of cryptographic technologies, systems, processes and policies that make secure communications possible via an incredibly insecure channel (i.e., the internet).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Certificate-based device authentication uses PKI digital certificates in conjunction with trusted platform modules (TPMs). The way it works is that you install a digital certificate that onto a user\u2019s machine that ties the identity of an organization or individual to that device. This provides client authentication by having your device authenticate itself to the server without you ever having to type in a password. &nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The advantages of PKI-based passwordless authentication include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Users no longer have to create or memorize difficult passwords.<\/strong> Because the certificates are what authenticate users, no passwords are required.<\/li>\n\n\n\n<li><strong>You don\u2019t have to worry about improper password hash storage.<\/strong> Don\u2019t want to deal with the hassle and risks associated with storing password hashes on servers? Then don\u2019t \u2014 eliminate the risk by doing away with passwords altogether.<\/li>\n\n\n\n<li><strong>Not falling prey to phishing and other credential attacks.<\/strong> If you\u2019re using certificate-based authentication, you don\u2019t have to worry about someone phishing your employees\u2019 login credentials and passwords because they don\u2019t have them anymore.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-tl-dr-6-password-security-tips-you-can-implement-now\">TL;DR: 6 Password Security Tips You Can Implement Now<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">As you\u2019ve learned, password security isn\u2019t a one-size-fits-all approach. And there are a lot of moving parts when it comes to making password-based authentication more secure. But here are a few quick tips you can use to make your password security more effective:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Don\u2019t share your login information with other users.<\/strong> This is password rule #1. Your password is <em>your password<\/em> and should never be shared with anyone else. Even if you carefully craft a strong password, it doesn\u2019t mean that your password will remain secure if you share it with someone.<\/li>\n\n\n\n<li><strong>Never recycle old passwords or use the same password across multiple accounts.<\/strong> A common mistake that most users make is reusing passwords on an account or across multiple accounts. The danger here is that if that password becomes compromised due to a data breach, phishing attack, or another factor, it means that any other account using that password would be at risk of compromise.<\/li>\n\n\n\n<li><strong>Use lengthy passphrases instead of overly complex (and hard-to-remember) passwords.<\/strong> We already talked about this earlier. But to quickly recap, a lengthy passphrase is easier for users to remember than a complex password. This makes a password more effective for users who don\u2019t rely on password managers.<\/li>\n\n\n\n<li><strong>Block users from using passwords that you can find on breach lists. <\/strong>For the love of all that\u2019s good in this world, stop users from using credentials that can be found on public data breach lists!<\/li>\n\n\n\n<li><strong>Ensure that your organization properly stores its password hashes.<\/strong> There is never, ever a reason to store passwords in plaintext format. Only password hashes should be stored, and even then, those hashes should be salted prior to being hashed. This will not only make passwords resistant to brute force attacks but it makes them resistant to rainbow table attacks.<\/li>\n\n\n\n<li><strong>Get rid of cumbersome and risky passwords altogether.<\/strong> Why leave yourself at risk when you have another more secure method of authentication (PKI-based authentication) at your disposal? <strong>&nbsp;<\/strong><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Verizon\u2019s 2020 DBIR report indicates that more than 80% of hacking-related breaches involved brute force or lost\/stolen credentials \u2014 here\u2019s what to know to strengthen your password security Password security&#8230;<\/p>\n","protected":false},"author":17,"featured_media":14268,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[16],"tags":[13118,2726],"class_list":["post-14261","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hashing-out-cyber-security","tag-password-security","tag-passwords","post-with-tags"],"views":32111,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/03\/password-security-login-screen-feature.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/14261","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=14261"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/14261\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/14268"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=14261"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=14261"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=14261"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}