Lepide Blog: A Guide to IT Security, Compliance and IT Operations

Best Practices for Password Management and Security

Password Management and Security

There’s no doubt that managing and securing passwords is a challenge for organizations. Passwords are difficult to remember, easily hackable, and password management strategies are further complicated by the growth of non-human accounts. Traditional password policies like minimum length requirements, complexity rules, and account lockouts are not as effective as they were.

Password cracking techniques like dictionary attacks and various social engineering techniques are used to compromise user accounts, and common behaviors like password reuse, using simple passwords, and sharing workplace passwords also pose significant security threats. However, as problematic as they may be, it’s unlikely we will see their demise just yet. In the meantime we will still need to establish a robust password management and security strategy.

Password Management and Security Best Practices

To safeguard your passwords, you will need to implement up-to-date anti-malware and vulnerability management solutions, fortifying your systems against exploitation. Additionally, modern password security policies should focus on password managers, multi-factor authentication (MFA), security awareness training, and periodic password audits to enhance security. Below are some of the most notable best practices for password management and security:

  1. Create Long, Strong and Complex Passwords
  2. Use Encryption to Secure Passwords At Rest and In Transit
  3. Use Advanced Authentication Methods
  4. Practice Mobile Phone Security
  5. Avoid Changing Passwords Too Frequently
  6. Use Password Managers
  7. Monitor All Password Activity

1. Create Long, Strong and Complex Passwords

To prevent cyber attacks you will need to create passwords that are long and strong to ensure they are difficult for hackers to decipher. Strong passwords should have more than eight characters and include a mix of upper and lowercase letters, numbers, and symbols. The National Institute of Standards and Technology (NIST) recommends memorable and secure passphrases with up to 64 characters, including spaces. To protect your business from dictionary attacks, refrain from using frequently used words or phrases found in dictionaries. These programs can quickly scan thousands of dictionary entries in various languages, so selecting uncommon or unique terms enhances your security. You might want to consider using a password strength evaluation tool to assist you in creating passwords that are less prone to compromise.

2. Use Encryption to Secure Passwords At Rest and In Transit

Encryption plays a vital role in securing passwords and safeguarding user accounts from unauthorized access. Encryption algorithms transform passwords into complex ciphertext using mathematical operations and keys, making it computationally infeasible for attackers to decipher them. This enhances the overall security of online accounts and helps prevent account takeovers, identity theft, and other malicious activities. Note: you should always try to avoid storing passwords if possible.

3. Use Advanced Authentication Methods

To enhance security and prevent unauthorized access, multi-factor authentication has become a widely adopted standard for safeguarding access to organizational resources. This method goes beyond traditional credentials such as usernames and passwords by requiring users to verify their identity through an additional factor. This additional factor can take the form of a one-time code sent to the user’s mobile device or a personalized USB token. The underlying principle is that even if an attacker manages to obtain the user’s password, simply cracking or guessing it is not sufficient to gain access to the system.

As part of multi-factor authentication, employees can use biometric verification methods such as Touch ID fingerprint scanning for iPhones or Windows Hello facial recognition for Windows 11 PCs. This approach enables the system to accurately identify employees by recognizing their unique physical characteristics, such as their face, fingerprints, voice, irises, or even their heartbeat.

4. Practice Mobile Phone Security

With the widespread use of mobile phones for business, shopping, and various other purposes, it’s essential to address the accompanying security concerns. These devices can become easy targets for hackers, potentially compromising sensitive information. To safeguard your mobile phone and other devices from unauthorized access, use strong passwords, fingerprint identification, or facial recognition technology. Your company may also want to consider using Mobile Device Management (MDM) software, which can remotely control and even wipe a company device in the event that it is lost or stolen.

5. Avoid Changing Passwords Too Frequently

This is a controversial topic, as some recommend frequent password changes whereas others argue that doing so can make the system less secure. Some organizations modify passwords at regular intervals, such every 90 or 180 days. However, recent NIST guidelines advise against implementing a mandatory password change policy for personal passwords (excluding privileged credentials). This shift stems from observations that users often resort to repeating previously used passwords. Despite attempts to prevent password reuse, users find inventive ways to circumvent these measures. Not only that but frequent password changes may increase the likelihood of users writing down their passwords, compromising security. Ultimately, NIST advocates for requesting password changes only in cases of potential threats. To prevent disgruntled former employees from compromising your business, establish a policy of changing passwords promptly upon their departure. This simple step can help safeguard your accounts and systems from unauthorized access and potential sabotage by ex-employees seeking revenge or causing disruptions.

6. Use Password Managers

By using a password manager, you only have to remember a single password, making it much easier to manage your online accounts. A password manager securely stores and generates strong, unique passwords for each of your accounts, and automatically fills in the password when logging in. There are two primary types of password managers: personal and privileged. Personal password managers are used by individuals to manage their own passwords, while privileged password managers are used by enterprises to manage and secure sensitive privileged credentials, such as those for user accounts, applications, and systems.

7. Monitor All Password Activity

Use a data security platform that offers real-time monitoring and alerting features, which will enhance password management and security. Such a platform will monitor and record all password-related actions, enabling you to spot anomalies and suspicious behavior instantly. Some of the more sophisticated platforms can detect brute force attacks by tracking excessive failed login attempts and triggering alerts for suspicious login patterns. They will also allow you to automatically execute custom scripts in the event of a potential breach. Finally, many auditing solutions allow you to automate the rotation of passwords for added security.

If you’d like to see how the Lepide Data Security Platform can help with password management and security, schedule a demo with one of our engineers.