5 Top Tips for Password Management

Bolster your security with effective password management

Passwords are the first line of defence for protecting your devices and systems against improper access and malicious actors. They are used across almost all digital systems including software, cloud and infrastructure. Therefore implementing effective password management is one of the simplest ways of improving your cyber defences. And the best part? It costs next to nothing to have in place.

The use of a password login within a computer system was introduced at MIT in 1961. Yet after over 60 years of computer and security developments, we're still seeing weak passwords as a top cause for unauthorized access. In fact, failed admin logins were the top security issue identified by our Security Operations Centre (SOC) team in both 2020 and 2021.

This blog provides you with 5 simple yet effective areas of focus for your business, based on the National Cyber Security Centre's advice of actions every business should undertake to reduce cyber threats. Time to stop scribbling your passwords down on those post-it notes and make note of these 5 tips instead.

Set secure passwords

The most frequently spoken about tip, but one of the simplest out there, is to make sure you're using strong and unique passwords. Passwords should be ideally at least 16 characters long, as well as a mixture of letters, numbers and characters. To put it into context, a password of 4 characters consisting purely of numbers can be brute-forced almost instantly. 8 characters consisting of upper and lowercase letters can be hacked in around 20 minutes. But 16 characters made up of numbers, mixed case letters and symbols will take around 11 trillion years to brute-force. By which time, we might have finally figured out how to unmute ourselves before speaking on virtual calls.

But fear not, for your password to be strong, it doesn't have to be complex. Using three random words is a great way to create a long password, integrating numbers and symbols, that will help to keep hackers out. A main reason why strong and unique passwords are avoided is because people worry they won't remember what they've used and where, however the use of a secure password manager tool helps you to keep track of each password. Allowing you to avoid repeated passwords, or leaving them noted down in an unsecured location (anyone can access that post-it note in your top drawer).

Your business passwords should also always differ to those created for personal use. You don't want your business to suffer a cyber attack at the hands of someone using the same password they've used for every platform since they were a teenager.

Change default credentials

Any site on the internet should expect to be hit with brute-force attacks. Default credentials are an easy win for hackers, enabling them to infiltrate your systems through these type of attacks.. Meaning you must ensure your organisation changes any default admin credentials, and follows general IT best practice of changing passwords every 3 months to avoid falling victim.

Our SOC team has gathered insights from honeypot networks that prove the dangers of default credentials. With passwords frequently used successfully within brute-force attacks including the following:

• admin
• PASswoRD
• 1
• admin123
• !QAZ2wsx

Not only this, but 24.5% of passwords used by hackers in brute-force attacks were contained within the RockYou data base leak back from 2009. Scarily showing the lack of password strength awareness in the 13 years since, and meaning businesses are leaving their doors practically wide open to hackers.

Use multi-factor authentication

Multi-factor authentication (MFA or 2FA) is a great tool to have in your password arsenal. It provides an extra layer of protection by securing accounts beyond password access with the use of a second security authentication method, usually on a separate device. The benefit of having two separate forms of identification is that if a hacker manages to gain access through your password, they're unlikely to have your second device to authorise the log in.

Although 75% of businesses have a password policy in place within their organisation, only 37% have MFA as a requirement for staff to use. This could end up being an extremely costly choice for a business should a cyber attack occur where MFA was possible in preventing it. Therefore, it's best practice to enable MFA wherever possible for your systems and include it within password policies to reinforce it's value to staff as a key security tool. It might be slightly more time consuming for log-ins, but can surely outweigh the cost of dealing with an attack or breach.

More and more businesses are seeking out security certifications such as Cyber Essentials and ISO 27001 in order to win business contracts, or to highlight their security consciousness to both customers and supply chains. These certifications have MFA listed as requirements within their frameworks, so if you're looking to certify with such schemes, it's even more important to get MFA set up where possible to ease the certification process.

Manage third party access

Can you account for everyone that has access to your network? Try to make it part of your password best practices to review who has access to your organisation's various devices and systems. Ensure only the correct people in your teams have access and those who leave the company have their access revoked. This is because removing old, unrequired and unused accounts will help to reduce the chance of unwanted and unauthorised access. Likewise, discourage password sharing between teams. If an individual needs access to something, give them their own login credentials wherever possible.

Managing access is particularly crucial if you are working with sensitive data, as only those who absolutely need to have access should be enabled to in order to prevent a potential data breach. The overall key lesson to learn here is to follow a just-in-time model. Meaning you give users precisely the level of access they need, for only the duration needed.

Train your staff

The final tip for secure password practices is to strengthen staff knowledge with security training. Increased password and security awareness from staff within their day to day practices is a key way to help protect your business.

Training also helps staff to be cautious over phishing attacks. A type of attack which could lead to them unintentionally giving their login credentials away. 83% of all cyber attacks are carried out through phishing tactics, which further highlights the importance for staff awareness over the issue. You can have all the correct security tools and processes in place, but just one employee clicking on a dodgy email could undo it all.

Bulletproof's Cyber Awareness Training is engaging and informative, putting employees in the mind-set of a hacker to understand how they could potentially be enabling malicious activity. Topics covered include password and account best practices, phishing and email security, as well as many more security and compliance key topics. Your staff will leave feeling more confident and aware of their impact on your business security.

Summary

Correct password management is a simple yet effective way to instantly bolster your security and your staff are your best defence against a majority of cyber attacks. This means getting password best practices in check with all your employees is crucial. Make sure you password policies include all of the 5 tips discussed within this blog, and staff are aware of what's expected from them in their day-to-day practices.