October is Cybersecurity Awareness Month, and this year’s theme is See Yourself in Cyber, which focuses on the individual’s role in cybersecurity. While cybersecurity can feel complex and inaccessible to the average person, the reality is that everyone has a role to play in security, from executives, to the IT team, to end users. To help you empower everyone in your organization to do their part regarding cybersecurity, we’re resurfacing this article, Best Practices for IT Password Security. Read on to learn how to ensure your organization’s credentials provide the lowest possible risk of compromise by bad actors.
It’s safe to say: IT has a password problem.
Gartner reports that as much as 50% of help desk calls are just password resets. Meanwhile, insecure passwords are leading to more high-profile breaches than ever before. Password protection and management is something that we’re highly in tune with here at JumpCloud, where security via our cloud directory platform is our bread and butter. And thankfully, there are some amazing tools out there today that can make password management much easier and more secure.
Password management has a few components. The first step is contextualizing the breadth and depth of the problem. Then, it’s all about implementing password protection best practices to secure your organizational resources without interfering with your employees’ user experience. In this article, we’ll walk through common password mistakes, the best practices to combat them, and how to simplify your management complexity.
Common Password Mistakes
Simply put, cybercriminals have evolved to be smarter about how they acquire user credentials, but our business environments have not evolved to properly defend against them. According to Specops’s 2022 Weak Passwords Report, 54% of organizations don’t even have a tool to manage work passwords. And, you can’t leave it up to users to secure their own credentials. Most employees reuse passwords for work and home, and make their passwords deliberately easy to remember – which also means they’re easy to guess.
Using Common Passwords
Common password credentials are often the first ones bad actors attempt during brute force attacks. They’ll find these password lists on breached password dumps, and systematically enter them until one works.
According to CNBC, the 10 most common passwords leaked in 2022 were:
These passwords are not only easy to guess; most of them are also very short, and have very little complexity, with no special characters. Many of them don’t even have a mix of both letters and numbers, and none of them are personalized to the user.
Using Overly Simple Passwords
You can’t just opt for a password that isn’t lazy and obvious. You must also add layers of complexity with a combination of long-chain letters, numbers, and special characters. It used to be that using over eight characters in a password was enough to deter most cybercriminals, but this is no longer the case. In fact, 93% of brute force password attacks in 2022 used passwords with over 8 characters, and 41% used over 12 characters.
According to Specops, the 10 most common 12-character plus passwords in 2022 were:
- ^_^$$wanniMaBI:: 1433 vl
- [email protected]#
- [email protected]$$W0rd0123
- [email protected]
- [email protected]#
- [email protected]#$
This report shows that even IT admins can easily fall into the trap of using common (but technically more complex) passwords.
Reusing Passwords on Multiple Applications
Without a password manager to securely store login credentials, many users resort to reusing passwords, simply so they can remember them. According to Google’s Online Security Survey, 52% of users reuse the same passwords for multiple accounts, and 13% use the same password for all their accounts.
Using the same password repeatedly significantly widens the attack surface. A compromise of just one resource – even something as innocuous as a social media or retail account login – can lead to compromise of company resources, too.
Password Management Best Practices
Password management issues may be widespread, but that doesn’t mean your organization is destined to become the next victim of a cyber attack. Next, we’ll give you a few best practices to implement in order to better secure your users’ passwords.
Create a Password Policy – and Enforce It.
Design a detailed password policy all employees and user identities must follow to gain access to company resources. A modern cloud directory platform like JumpCloud makes this easy by creating password requirement policies based on your specifications. Here’s some examples of what should be included in your policy.
- Specify a required length: In the world of passwords, size does count. Eight characters is no longer enough, and based on Specops’ resource, 12 characters are quickly becoming too simplified as well. We recommend 18+ characters in a password.
- Require a range of characters: Make each password require a mix of lowercase, uppercase, numbers, and special characters.
- Don’t allow words: It’s a lot easier to guess a password if it includes your name, your kid’s name, your pet’s name, or a common phrase. Eliminate this risk by allowing no recognizable words in your passwords. Instead, encourage employees to create acronym strings to make passwords that are hard to crack, but easy to remember. For example, if you want to use the song lyrics, “For those about to rock, we salute you,” make it part of your password by using “ftatrwsy”. If you can add in a phrase with numbers, that could be “too good to be true” (2g2bt).
- Don’t allow reuse: Ensure your password setting system can identify if a password has been used previously on the site, and do not allow employees to reuse these old credentials.
Require Passwords Across Devices and Applications
Regardless of whether it’s a company laptop, an employee’s email on a personal device, an iPad, or even a BYOD cell phone, if a device is configured to connect to company resources, it must be protected with a complex password.
Some organizations still have their heads in the sand about the breadth of password requirements. They allow BYOD without creating a policy around it or gaining control of the devices. Don’t neglect the need for passwords on networks, routers, mobile devices, and for all apps in use. You don’t want the next lost cell phone to lead to the next big breach.
Note: check out our guide to some of the best practices in BYOD.
Do Not Use the Same Password for Multiple Accounts
What happens when a CEO uses the same password for accessing a confidential business network that they use for their social media pages? Just ask the 6.5 million users who were hacked on LinkedIn. It’s “never going to happen to you”… until it does. Be smart and don’t ever mix business and personal credentials. Automatic password rotation can enforce this company-wide.
Implement Regular Password Rotation
Use a password manager to require the regular changing of passwords. Required password rotation is essential to staying one step ahead of potential hackers.
Some systems require rotation but then allow a user to just switch back and forth between two passwords. Ultimately, this subverts the goal of password rotation. JumpCloud’s platform catches this issue and allows admins to eliminate previous passwords as an option. This allows IT to set a number of previous passwords back that a user cannot use when rotating.
Require Multi-factor Authentication
Starting to get the sense that a passphrase alone isn’t enough to secure your network and resources? You’re right. In today’s day and age, even the most complex passwords aren’t foolproof.
For the utmost in security, pair your detailed password policies with multi-factor authentication (MFA). MFA combines something a user knows (typically, the traditional username and password) with something they have (like a biometric verification, or a push notification or key sent to a private phone). When paired with a strong password, MFA makes it much, much more difficult for the wrong person to access your business resources.
Educate Your Staff on Social Engineering and “Phishing” Attacks
Your staff is much more likely to comply with your company policies if they understand why they’re necessary. Once you’ve shared the policy, you must reinforce the rules by providing context around why it’s so important.
Give your tema training on the most common forms of cyber attack, like social engineering and phishing. These hacking methods are cleverly disguised and require the victim to be a willing participant in undoing their security.
The basic rule is this: whenever you follow a link that asks for login credentials (or any other personal information for that matter) you must be highly vigilant. If you’re not certain if the request for information is legitimate, then you can type the site’s known URL into your browser to make sure you’re not on a carefully disguised imposter’s site.
Reducing Password Policy Complexity
Are you feeling overwhelmed at this point, wondering how you’re supposed to manage so many password requirements and changes for so many users? Fear not. Our modern cloud security solutions offer lots of opportunities to automate these processes, freeing your IT admins up for more complex tasks.
Use a Password Manager
Weak, shared, or compromised passwords play a role in most data breaches. When end users can create and store complex passwords easily, they play an active role in protecting your organization from malicious actors. Password managers allow users to create truly complex, uncrackable passwords while reducing downtime from not remembering them. It’s the perfect solution.
Implement SSO and MFA
Modern cloud solutions allow you to easily implement single sign-on and multi-factor authentication models to verify users prior to letting them access company resources.
Single sign-on enables users to log in once to access all of their IT resources; they don’t have to type their username and password in over and over, or use multiple, distinct username and password pairs, to get access to everything they need to be successful at work.
Today, SSO is often implemented as part of a larger identity access management (IAM) solution, such as a directory service, rather than as a separate add-on, which gives IT admins more control and visibility into what users have access to. SSO solutions that fit into this mold provide users with access to virtually all of their IT resources (networks, devices, apps, file servers, and more) through a single login. Even better, there are SSO password managers that kill two birds with one stone.
Multi-factor authentication can also be turned on with the click of a button when using solutions like JumpCloud. You can create conditional access policies that make users use a second factor to verify their identities all of the time, or only when logging in from an untrusted device, for example. According to Microsoft, enabling MFA will stop 99.9% of cyber attacks.
Upgrade to a Cloud Directory Platform like JumpCloud
While password managers, SSO, and MFA can certainly all be purchased piecemeal, by far the easiest and most comprehensive solution is to centralize your IT management around a cloud directory platform like JumpCloud. JumpCloud provides a seamless single pane of glass from which to manage all user passwords and identities, and quickly batch implement the newest security policies. JumpCloud offers password management, all-application SSO, MFA capabilities – and so much more.
If you’re ready to give a best-in-class open directory platform a try for all your IDaaS needs, JumpCloud’s your solution. Drop us a note, or sign up for a free account and give it a try for yourself. It’s free to try for up to 10 users and 10 devices.