Myths about strong passwords and how organizations can better protect themselves
Unique identification for important programs and services is surely possible with passwords, but only if they are strong. This is often a problem. This is also due to the fact that the rules that once applied no longer provide protection. What modern password protection should look like.
Passwords are the key to an organization’s accounts and sensitive data, and a security risk. If they fall into the wrong hands, they can serve as an entry point for cyberattacks. According to Verizon’s Data Breach Investigations Report 2022, compromised credentials are responsible for 80 percent of all corporate data breaches.
Weak passwords on the one hand and compromised passwords on the other are problematic. To make matters worse, password requirements have changed over time: What was once considered secure is no longer necessarily so. Some myths persist.
Why longer passwords alone are not necessarily secure
Many guidelines say that passwords should be eight characters long. The problem is, hackers know this too. A study by the security experts at SpecOps analyzed word combinations used by cybercriminals in brute force attacks. The result: 93 percent were eight characters or longer. According to the study, nearly 40 percent of the passwords used in attacks were at least 12 characters long. It is also often recommended to use different types of characters, such as letters and numbers. However, nearly 70 percent of the combinations used by hackers also followed this recommendation.
It is therefore a myth that passphrases offer protection if they only contain a certain number of characters. In fact, longer passwords often make it easier for attackers. This is because employees tend to choose word combinations that are as uncomplicated as possible in order to memorize such strings. These include the names of sports teams, artists, or even seasons, as SpecOps discovered. They then use the same password for different platforms and may even share it with colleagues.
However, criminals can quickly guess simple terms and word combinations using automated brute force attacks. They can then gain access to critical services and data with a single compromised password.
By the way, the same danger lies in forcing people to change their passwords frequently. The National Institute of Standards and Technology (NIST) used to recommend choosing a new password every 90 days. But this advice is counterproductive: it encourages employees to come up with insecure passphrases that are easy to memorize. The U.S. administration, which sets technology standards, has long since moved away from this approach.
What companies can do to improve password security
To ensure that passwords are as secure as possible, companies should take several steps to protect them. The first step is to define the requirements that passwords must meet in the organization. You can base this on recommendations from various organizations, such as the German Federal Office for Information Security (BSI) or NIST.
What is a strong password?
According to the BSI’s Basic Protection Compendium a password should always be at least eight to twelve characters long, but it doesn’t have to be. At this length, it is important that the string be as complex as possible and contain four types of characters (uppercase and lowercase letters, numbers, and special characters). Alternatively, the password can be much longer, 20 to 25 characters, but need not be as complex. In this case, two types of characters are sufficient, such as uppercase and lowercase letters.
However, there are other requirements. The password cannot be easily guessed. Common character strings such as “123456,” “aaaa,” “asdf,” “password,” or personal information such as your name, your company’s name, or your pet’s name are taboo. Patterns such as numbers at the beginning or end are also prohibited, such as 123.
The BSI recommends using very strong passphrases of 20 characters or more on workstation PCs. They are almost impossible to crack with brute force attacks.
What makes passwords even more secure
- Only one password per service: A strong password must be created specifically for each application and must never be used more than once. It must also not be possible to reuse a password.
- Use a password manager: As employees find it difficult to remember multiple long or complex passwords, the use of a password manager can be useful according to the BSI basic protection recommendations. This stores passphrases in encrypted form.
- Change default passwords: The default passwords in the system need to be replaced with strong passphrases.
- Use multifactor authentication: Additional security is provided by other authentication features, such as certificates or multi-factor authentication using tokens and codes.
- Encryption: Passwords must be transmitted and stored in the IT infrastructure in encrypted form, never in plain text.
- Find compromised passwords: Passwords that have already been compromised appear on lists on the darknet. Organizations should check Active Directory for existing and compromised passphrases. Identities are managed for authorization in Microsoft’s central directory service. External tools like SpecOps Password Auditor can help with this.
Strong passwords only need to be changed if there is a suspicion that a passphrase has been compromised. Otherwise, the requirement to change passphrases on a regular basis should be removed.
The alternative: Login without password
Solutions that eliminate the need for password-based identification have long been available, making forgotten, stolen, or weak passphrases a thing of the past. The open standard Fast IDdentity Online (FIDO) enables passwordless and encrypted two-factor authentication with its protocols. Users must locally unlock an authenticator. They use biometrics, such as a fingerprint or security token. The local key stored on the device is then compared to the matching public key on the server. There is a separate key pair for each online service.
Certificate-based authentication with PKI credentials works without passwords. It uses physical smart cards and software certificates.
Conclusion: Strong Passwords Are Long and Unique
Strong passwords in companies must fulfil certain requirements. For example, they should be as long as possible, should not be used for multiple services, and should never be easy to guess. When companies define such rules and enforce them consistently, the IT infrastructure is better protected against cyberattacks.