Five useful tips on improving password security in your organization
(Last updated on September 28, 2020)
Password-related breaches are on the list of the most popular attacks along with malware infection and social engineering. According to Verizon, almost 80% of all the breaches are connected with compromised credentials or weak passwords.
While it’s a generally accepted rule to avoid passwords, like “Password”, “qwerty123”, or birthdays, many people fail to do so. Such a behavior can be particularly damaging for an organization. Depending on the user role, sensitive company data is at risk. Not speaking of being a pain for system administrators who have to deal with user access.
Here’s how you can improve the password security in your company.
Proper personnel training
No matter what innovative protection algorithms are used in your company, if your staff keeps passwords in a text doc on the desktop, or even worse on a sheet of paper, all other security measures are doomed to fail. That’s why it’s critical to invest in cybersecurity training to teach your personnel the basics of information protection, including proper password management tools where they would have to remember just one passphrase and the software would do the rest to keep all the passwords protected.
Passwords strength requirement
Apart from the widely used complexity requirements (minimum number of characters, upper- and lower-case letters, as well as special symbols and numbers), it’s necessary to consider more complex password policies within Active Directory. These include maximum password age to force users to regularly change their passwords, ensuring proper data encryption so that even during the breach the data remains safe, and storing the password history to encourage passwords different from the previously used ones. More on these AD policies can be found here.
Brute-force attacks aim at guessing passwords by trying different popular combinations as well as dictionary attacks (searching correct combination by existing dictionary words). Despite the best security practices, people still opt for simpler passwords that increase chances for successful breaches. The best way for avoiding it is automatic lockdown for logins after several failed attempts as well as the IP address block if the failed attempts continue. It can be done in AD as well as in different corporate resources.
Profiles deactivation during employee attrition
According to a recent study on password usage, 50% of accounts in a company are stale, which increases the risks of unauthorized use of corporate resources. Even if the departure was mutually agreed, better to be safe than sorry and change all the shared passwords right away after the last working day. The ideal variant would be to avoid using shared passwords as much as possible. Still, there are some cases when it’s not inevitable. The same goes for immediate deactivation of the user’s profile. This practice would help to protect from sensitive data exposure as well as minimize the usage of your resources in someone’s personal interest (selling data for competitors or blackmailing the company).
Additional protection layers
Unfortunately, passwords today cannot be fully replaced by alternative authentication methods such as 2FA, where users would have to confirm their login via codes sent to their emails or phones, or using an even more secure way such as OTP, aka one-time passwords that are changing every minute. Including these methods where possible minimizes the risks of successful login even when a password leakage occurs.
While complex security measures include other steps such as VPN protection for internal resources, trusted firewalls, and anti-malware software, passwords management plays a significant role in system protection. Using these tips in everyday administration management will help to minimize the number of successful breaches connected to weak passwords, thus increasing the integrity of the overall system.