Password management tends to be one of those activities that most people choose to be lazier with. Thanks to the way that TV and movies poorly portray how most cyber breaches are conducted, people don’t realize the true importance of password discipline. But the one statistic that tells the whole story, is that a whopping 81% of data breaches are a result of password compromise (according to the Verizon Data Breach Investigations Report).
Password Design
●Passwords should be between 8-15 characters in length using upper case, lower case, numeric and special characters in conjunction→ A high character count with a series of varied symbols minimizes a hacker's ability to break using “brute force attacks.”
● Passwords should not contain any personal identifiable information(PII)→ A lot of personal identifiable information can be found online and is typically the first attempted.
● Passwords should differ across applications, systems and department teams→ If passwords are the same across platforms and teams, then one successful password breach could lead to multiple breaches. This is a common problem amongst small businesses, where members of teams or departments will share credentials across accounts which can increase the risk of a password breach and the severity of one.
●Passwords should NOT be recycled (Ex: Password#1→ Password#2) → If a password had been previously compromised without any action being taken by the hacker, recycling your password will only give a finite amount of time until you are compromised again.
Password Security
●Passwords should be changed every 60-90 days for each account→ Frequently changing your password creates a “moving target” for a hacker
●Passwords should only be shared under the RAREST of circumstances with team or department members→ Sharing credentials puts more devices at risk in the event a breach were to occur. Therefore it should be done cautiously and on the rarest of occasions.
●In the RARE event that credentials are shared, it should NEVER be done by electronic means (email, text, IM, etc.)→ Sharing credentials electronically creates more potential mediums that could cause compromise through communications interceptions.
●Passwords should NOT be stored in any company or computer databases→ If a database was compromised, all other systems would potentially be compromised as well.
● Avoid leaving a written down password visible and in plain sight→ Having passwords or other credentials in plain sight (on someone’s desk or cabinet) will risk internal password sharing. Even if someone trustworthy borrows it, they could be negligent in how they use the credentials, leading to a potential compromise.
● Utilize multi-factor authentication whenever available→ Multi-factor authentication adds an entirely new layer of security to protect one’s credentials.
●Utilize a password manager software if available→ Especially when you have a lot of different accounts, password manager software is a centralized place to store all of your passwords. They can be accessed with one master password and it encrypts the information when the software isn’t accessed, making it extremely secure. But be sure to manage the master password using these design and security practices.
Response to Suspected Password Compromise
●Immediately change all compromised passwords across platforms and teams→ This will minimize any potential loss across teams and platforms. Risk of loss is far greater if there isn’t cross-team or cross-platform differentiation.
●Notify pre-determined, designated team lead of potential cyber-related incident, and begin incident-response steps→ Notification of the designated lead will begin the formalized process of incident-response, minimizing any potential further damage.
It is critical and advised to follow these password management practices. Another good idea, especially if you have employees or subcontractors, is to have a formal, documented password management policy within your organization, and ensure they are being enforced. It is also wise to create an incident-response plan in the event credentials might be compromised, as well as one that addresses other potential scenarios. Be sure to consult with a cybersecurity professional or IT personnel to get those generated.