Passwords have become a part of day-to-day life for almost everyone. We use them as our digital safe codes, protecting our data, money, personal information and accounts. As cyber criminals continue to develop new tactics to exploit digital identities and critical information, the importance of protecting our digital assets and ensuring strong password security becomes more critical than ever. As we mark World Password Day, it’s time to reflect on this cornerstone of cybersecurity and see what can be done to protect your organization’s security.
The increasing sophistication of cyber threats has made it clear that password security is not just about creating a strong password; it’s about fostering a culture of security that permeates every level of an organization. While the old rules stay true, and being aware of where you store your password, or being wary of entering it on unsecure sites such as those not secured with certificates from a Certificate Authority or through untrusted networks, it’s important to pay attention to the more involved evolutions of security and the threats they represent.
Ensuring Password Hygiene at Your Organization
The first step towards stronger passwords is ensuring a culture of strong password hygiene in an organization. Password hygiene is the practice of selecting, managing and maintaining strong passwords to protect accounts and systems from cybercriminals.
This includes, but is not limited to:
- Password Creation – ensuring they are not obvious, common, or easy to hack. The most common password is still 123456, according to NordPass, and can be cracked in less than a second. The longer a password is, the better too – password length affects the time it takes to crack it exponentially, and a longer password with a mix of special characters and numbers is much less likely to be breached through brute force attacks.
- Account Variation – selecting unique passwords - 13% of users reuse the same password for every account, and 52% reuse a password for some accounts. Password reuse can make it easy for individual accounts to be breached, since once a password is exposed on one account, it effectively gives access to all of them
- Password Security – It’s important to keep personal passwords private, no matter who you’re speaking to. It’s worth remembering that even if you know the person you’re entrusting with that information, and they don’t have any malicious intent, any digital communication is under some risk of being intercepted and read, such as through unsecured email
Bad password hygiene can lead to costly consequences such as data breaches or Denial of Service (DoS) attacks. It is important that security administrators routinely invest time and resources to educating users on the importance of password hygiene, as this can go far to mitigate the effects of a breach.
How can Passwords be Compromised?
It’s first important to acknowledge the ways in which a password can be compromised to begin with. When looking to access secure information, there’s a few methods hackers are likely to try – the most common being the following:
- A Brute Force Attack: An attacker will use trial-and-error to try and guess the correct combination for login information, encryption keys or hidden webpage, generally through a generative system. There are many variations of brute force attacks but generally, these systems will often guess common password names first and test a variety of variations to get through. If you use a password with 6 characters or less, this can be done in a matter of hours, or even instantly if your password is simple.
- Phishing Attacks: An attacker claims to be from a reputable company to gain access to sensitive and confidential data, or to deploy malicious software such as ransomware. Phishing attacks are one of the leading causes of companies’ suffering data breaches, as they are difficult to prevent, relying on employee awareness and education.
- Credential Stuffing: A bad actor takes credentials obtained from a previous data breach and attempts to login to another service. The odds are that an individual email has been compromised in some form of data breach in the past, which can open the door for further access to other accounts tied to that address should the password be similar or the same.
A suitable password, that follows basic password hygiene to make sure it’s not easy to breach can help prevent a lot of data loss in your organization, but it’s still not foolproof – in the UK, half of businesses reported having experienced some sort of cyber security breach in 2023. So, if password awareness alone isn’t sufficient, what can you rely on?
What is Hashing?
Hashing is taking an input and then converting it into a randomized string of an identical length. Hashes allow you to conceal the extent and information contained in the original input value. This enables you to verify data and secure your passwords against different types of attacks.
For example certain DoS attack methods, such as dictionary attacks, which look for specific words frequently used in passwords , are ineffective against hashed passwords because the password input becomes randomized by the hash. Hashes can also be used for the secure storage of cryptocurrency because they can add another layer of encryption to passwords used for your crypto wallet accounts.
Password Salting
Password salting is used in conjunction with hashing. When you salt a password, you add random integers and strings to every password before you hash it. A salt is a randomized, considerably large value, which is generated when you use a secure random number generator or random bit generator. Salts get stored with each password hash value on your server, thus creating unique hash values for passwords.
Combining Salting and Hashing
Salted password hashes are more secure than plaintext passwords or unsalted hashes because they combine the strength of salting with the resilience of hashing. Hackers won’t be able to look through your database for passwords or their corresponding hash values that coincide with common or shared passwords. Plus, salted password hashes are too impractical and unwieldy to determine on a case-by-case basis.
It’s essential that bad actors can’t discern the salt that has been used, so they must be unique and randomly generated before they’re hashed. The goal is to create a hash that would be too difficult to calculate each password using individual salts.
This prevents bad actors from utilizing scripts and AI to crack your hashes and salted passwords. This can be used to make your databases even more secure, and when combined with the security of a Multi-factor authenticator, make it extremely difficult to breach an account.
Multi-Factor Authentication (MFA)
Creating strong passwords is important, but that can still leave you or your organization vulnerable regardless, and even the strongest passwords can be susceptible to being compromised. Competent passwords are those that are long and complex, with a combined use of letters, numbers, cases and special characters, but even these are not enough to prevent attackers alone. Organizations should implement Multi-Factor Authentication to provide strong digital security.
It heightens the security of your systems to ensure that a breach is almost impossible from most sources. Microsoft estimates that MFA can block 99.9% of account compromise attacks. Using an MFA is the best defense that you can use to prevent breaches, and should be on any organizations top priorities when managing their security.
Keeping Your Passwords Secure
In light of the ever-increasing threats to cybersecurity, it’s important to recognize that safeguarding passwords is not a one-time endeavor but an ongoing commitment to security. It takes a holistic approach to account security to ensure that organizations can bolster their defenses against cyber threats, and continue safeguarding the integrity and confidentiality of their digital assets.
In the ever-evolving realm of digital identity and security, our passwords are just one layer of security between your organization and a potential breach. Password protection requires good organization security education, a culture of vigilance and a proactive approach to security practices. As we look to the future, let World Password Day serve as a reminder of the pivotal role that robust password security plays in safeguarding our digital world.
Improve Your Password Security With Multi-Factor Authentication