{"id":3526,"date":"2023-10-10T12:44:37","date_gmt":"2023-10-10T16:44:37","guid":{"rendered":"http:\/\/www.jumpcloud.com\/blog\/?p=3526"},"modified":"2024-11-14T19:31:11","modified_gmt":"2024-11-15T00:31:11","slug":"it-password-security","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/it-password-security","title":{"rendered":"Best Practices for IT Password Security"},"content":{"rendered":"\n

October is Cybersecurity Awareness Month, and the U.S. Cybersecurity & Infrastructure Security Agency (CISA) organization is calling on all of us to \u201cSecure Our World,\u201d with a simple message that calls everyone to action \u201cto adopt ongoing cybersecurity habits and improved online safety behaviors.\u201d This month, the JumpCloud blog will focus on helping you empower everyone in your organization to do their part regarding cybersecurity. Tune in throughout the month for more cybersecurity content written specifically for IT professionals.<\/em><\/p>\n\n\n\n

\n\n\n\n

It\u2019s safe to say: IT has a password problem.<\/p>\n\n\n\n

Gartner reports<\/a> that as much as 50% of help desk calls are just password resets. Meanwhile, insecure passwords are leading to more high-profile breaches<\/a> than ever before. Password protection and management is something that we\u2019re highly in tune with here at JumpCloud, where security via our cloud directory platform<\/a> is our bread and butter. And thankfully, there are some amazing tools out there today that can make password management much easier and more secure.<\/p>\n\n\n\n

Password management has a few components. The first step is contextualizing the breadth and depth of the problem. Then, it\u2019s all about implementing password protection best practices to secure your organizational resources without interfering with your employees\u2019 user experience. In this article, we\u2019ll walk through common password mistakes, the best practices to combat them, and how to simplify your management complexity. <\/p>\n\n\n\n

Common Password Mistakes <\/h2>\n\n\n\n

Simply put, cybercriminals have evolved to be smarter about how they acquire user credentials, but our business environments have not evolved to properly defend against them. According to Specops\u2019s 2023 Weak Passwords Report<\/a>, 41% of Americans rely on memory alone to<\/p>\n\n\n\n

track their passwords. And, you can\u2019t leave it up to users to secure their own credentials. Most employees reuse passwords for work and home, and make their passwords deliberately easy to remember \u2013 which also means they\u2019re easy to guess. <\/p>\n\n\n\n

Using Common Passwords <\/h3>\n\n\n\n

Common password credentials are often the first ones bad actors attempt during brute force attacks. They\u2019ll find these password lists on breached password dumps, and systematically enter them until one works. <\/p>\n\n\n\n

According to Cybernews<\/a>, the 10 most common passwords leaked in 2023 were:<\/p>\n\n\n\n

    \n
  1. 123456<\/li>\n\n\n\n
  2. 123456789<\/li>\n\n\n\n
  3. qwerty<\/li>\n\n\n\n
  4. password<\/li>\n\n\n\n
  5. 12345<\/li>\n\n\n\n
  6. qwerty123<\/li>\n\n\n\n
  7. 1q2w3e<\/li>\n\n\n\n
  8. 12345678<\/li>\n\n\n\n
  9. 111111<\/li>\n\n\n\n
  10. 1234567890<\/li>\n<\/ol>\n\n\n\n

    These passwords are not only easy to guess; most of them are also very short, and have very little complexity, with no special characters. Many of them don\u2019t even have a mix of both letters and numbers, and none of them are personalized to the user. <\/p>\n\n\n\n

    Using Overly Simple Passwords <\/h3>\n\n\n\n

    You can\u2019t just opt for a password that isn\u2019t lazy and obvious. You must also add layers of complexity with a combination of long-chain letters, numbers, and special characters. It may feel like common knowledge that using over eight characters in a password was enough to deter most cybercriminals, but this isn\u2019t always put into practice. In fact, 88%<\/a> of brute force password attacks in 2023 used passwords with 12 characters or less, and nearly a quarter of those attacks used passwords with only 8 characters.  <\/p>\n\n\n\n

    Reusing Passwords on Multiple Applications <\/h3>\n\n\n\n

    Without a password manager<\/a> to securely store login credentials, many users resort to reusing passwords, simply so they can remember them.  According to Google\u2019s Online Security Survey<\/a>, 52% of users reuse the same passwords for multiple accounts, and 13% use the same password for all<\/em> their accounts. <\/p>\n\n\n\n

    Using the same password repeatedly significantly widens the attack surface. A compromise of just one resource \u2013 even something as innocuous as a social media or retail account login \u2013 can lead to compromise of company resources, too. <\/p>\n\n\n\n

    Password Management Best Practices <\/h2>\n\n\n\n

    Password management issues may be widespread, but that doesn\u2019t mean your organization is destined to become the next victim of a cyber attack. Next, we\u2019ll give you a few best practices to implement in order to better secure your users\u2019 passwords. <\/p>\n\n\n\n

    Create a Password Policy \u2013 and Enforce It.<\/h3>\n\n\n\n

    Design a detailed password policy all employees and user identities must follow to gain access to company resources. A modern cloud directory platform like JumpCloud makes this easy by creating password requirement policies based on your specifications. Here\u2019s some examples of what should be included in your policy. <\/p>\n\n\n\n

    Length\/Complexity Requirements <\/h4>\n\n\n\n