Password are the oldest method of digital authentication, and are still by far the most common method of proving online identity. Whilst we see organisations beginning to move towards alternative authentication methods, password strength is still critical in protecting against enterprise data breaches whilst they remain in the foundations of enterprise identity. In an ever-developing threat landscape, what makes for a strong password in 2022? Here are the key pillars of strong passwords today.
Password reuse is a key factor in many data breaches. Ensuring users passwords are unique is one of the best ways enterprises can safeguard themselves against cyberattacks. Many passwords are compromised in separate data breaches and become available for cybercriminals on the dark web. These purchased credentials are then leveraged in credential stuffing attacks. According to Spycloud, 70% of passwords that have been compromised remain in use.
When compromised identities are reused for other applications, the problem becomes far more serious; attackers can compromise multiple applications with just one set of credentials creating a domino effect. In order for enterprises to ensure their employees’ passwords are not up for sale on the dark web and mitigating the risk of associated data breaches, eliminating password reuse is of critical importance.
Many application registrations require that passwords be of a certain length and complexity: special characters, numbers, and a mixture of upper and lower-case characters. However, it is the length of the password that is far more important when it comes to protecting from brute force algorithms. Password length increases the strength of passwords exponentially whereas increased entropy, or variance in characters used, only has a linear impact on increasing strength. This means user can benefit from vastly more secure credentials by using just a small number of additional characters or turning their password into a phrase.
Complexity requirements have a lesser impact on deterring brute force attacks and they are significantly more difficult for a human to remember. A good way to increase the length of passwords substantially while also making them easy to memorise is also to use passphrases. Using a grammatical sentence, or three or four random words, credentials can be long enough to prevent brute force attacks while remaining easy for users to remember.
Whilst password length is regarded as more effective than complexity, many third-party cloud apps will include requirements for numbers, upper case letters, and special characters. In order to meet these requirements, a common method is to use obvious substitutions for letters – for example, the word ‘password’ may be typed as ‘p@ssw0rd’. Users may also use a memorable combination of numbers at the end of their passphrase to incorporate numbers.
Unfortunately, while these techniques help make complex passwords easier to remember, they are well-known to cybercriminals, and accounted for in both brute force and credential-stuffing algorithms. In practice, therefore, complexity rules make passwords more difficult to remember in the name of security but often end up undermining the purpose they were created for by encouraging substitution of letters for easy-to-guess symbols. This can encourage other insecure behaviours such as reusing and writing down passwords, creating additional security issues
One of the key challenges facing enterprises is how to enforce best practice for passwords across all applications and for all users. Requiring end users to adhere to corporate password policies, means enterprises are effectively placing the burden of preventing data breaches on those with the least training, or interest in cybersecurity.
However, even making sure users are educated on the risks appears to have little impact. Research from My1Login surveying over 2,000 UK office workers and business leaders found that of users who had received cybersecurity training, 85% continued to reuse passwords, and 63% used personal passwords in the workplace.
The problem lies in the volume of passwords that employees are required to remember – on average, each person has 100 passwords and often 10 to 30 of these can be worked related. Even if users are aware that password reuse is problematic, there is no alternative to doing so when they are required to remember so many.
Instead, many organisations are turning to technological solutions to remove human limitations in creating and memorising strong passwords. An Enterprise Password Manager is one of the most effective tools to achieve this, enforcing password policies on 3rd party cloud applications by automating the generation and updating of passwords on these applications. Combining this with Single Sign-On (SSO) functionality using credential vaulting and forwarding means the users don’t have to type or enter the passwords to access the applications putting the enterprise back in control of identities. Ideally if the SSO and Enterprise Password Management solution can be configured to run seamlessly in the background, then users won’t have to be trained as the solution can be deployed centrally by the IT department.
By allowing the centralisation of access to corporate identities, passwords and data, and removing the burden of cybersecurity from end-users, organisations can be confident that the cyber risk of password-based authentication is mitigated minimising the likelihood of facing the financial and reputational damage of a data breach.
Learn more about why organisations should remove passwords from users now.