Today, one of the largest threats to organizations is employees choosing weak or non-compliant passwords for their computers and mobile devices with 80 percent of hacking-related breaches tied to passwords, according to the 2019 Verizon Data Breach Investigations Report (DBIR).
Passwords are compromised by hackers in several ways including online and offline brute force attacks, dictionary attacks and key logger attacks.
With online brute force attacks, hackers use software to try and log in to a web site or resource with many possible password combinations that start with easy-to-guess passwords. Offline brute force attacks involve hackers attempting to compromise systems using “dumped” or downloaded username and password combinations. For dictionary attacks, a form of brute force attack, hackers use software to defeat authentication systems by trying hundreds or even millions of likely password possibilities, as if they were words in a dictionary.
Hackers also use key logger attacks where malware is installed on a victim’s computer that logs all a user’s keystrokes including their passwords. Key logger attacks are different than a brute force or dictionary attacks because stronger passwords don’t always provide protection against key logger attacks, the main reason that all businesses should implement two-factor (2FA) or multi-factor authentication (MFA).
By implementing strict password policies and IT controls while educating users about password best practices and online security, organizations can reduce their chances of a data breach or cyber-attack.
Preventing Password Compromises
Using secure, unique passwords of at least 8 characters and enabling two-factor or multi-factor authentication is key to not falling victim to data breaches or password compromises.
Password best practices include not using your name or names of family members or pets for passwords and avoiding numbers such as addresses, phone numbers, or birthdays. Passwords for financial accounts should be changed regularly and device login passwords should be changed quarterly.
Additionally, users should not use the same password on more than one account as the account protected by the re-used password on other accounts could also be compromised. Unique password generators from Google or Symantec can ensure that users have unique and strong passwords. Two-factor or 2FA and multi-factor authentication or MFA, should also be implemented to add a second layer of identity verification and security for organizational account passwords.
Enforcing Password Complexity
Password complexity should be enforced across major platforms including Microsoft O365 and Windows Server as well as Google G Suite.
Microsoft recommends enforcing password diversity so that passwords contain many difficult-to-guess password variations to protect O365 user accounts. This includes user password expiration requirements, requiring long passwords, requiring the use of multiple character sets, banning common passwords, and not re-using organizational passwords. Additionally, Microsoft recommends enabling and enforcing risk-based multi-factor authentication with an 8-character minimum password length requirement.
For Windows Server (Group Policy), passwords complexity requirements should be enabled and combined with a minimum password length of 8 to ensure that there are at least 218,340,105,584,896 different possibilities for a single password. This makes brute force attacks difficult, but still not impossible.
Google G Suite password complexity options allow administrators to enforce policies such as strong passwords that must be changed regularly and cannot be reused. Enterprise administrators of Gmail, Google Drive, and other services can specify minimum and maximum password lengths with “Password strength and length enforcement.”
Technical Framework Password Enforcement Service
Technical Framework recommends and provides password auditing and enforcement services on demand. As cyberattacks continue to target and exploit organizations, password security is an essential piece of all IT security programs to help mitigate data breach and compliance risks. Technical Framework also implements and maintains password policy enforcement best practices to help clients ensure their IT security postures and regulatory compliance.