Best Practices for Password Hygiene and Multi-Factor Authentication
Access Point Consulting
Assess, design, and implement your cybersecurity strategy. Peace of mind starts here.
By Justin Quintero-Franco and Alexa Senott, Intern Analysts for Access Point Consulting
Implementing strong passwords is essential to protect your online accounts from unauthorized access. Here's why:
Account Security
Strong passwords are essential for account protection because they act as a barrier to hackers, disallowing them from easily guessing or cracking weaker passwords. Weak passwords are susceptible to brute-force and dictionary password attacks. Implementing a strong password reduces the risk of unauthorized access.
Data Privacy
Online accounts contain sensitive information including personal and financial information. This information of great interest to hackers. It is essential to have a strong password because it keeps this information secure and private.
Identity Theft Prevention
Compromised accounts can be used by malicious actors to steal a person’s identity, creating many problems including the misuse of personal information and financial loss. Implementing a strong password minimizes this risk.
?
Best Methods to Create a Strong Password
Implement a Good Length and Combination of Characters
Passwords should contain at least 12 characters and include a combination of uppercase and lowercase letters, words, numbers, and symbols (!, $, #, etc.).
Avoid Using Personal Details
Passwords should be unique and not contain personal details that can be easily found, including pet names, names of family members, phone numbers, or birth dates.?
Avoid Dictionary Words
It is best to avoid using common dictionary words. Many password-cracking tools available for free online can come up with a list of passwords based on dictionary words. If you must use dictionary words, add numbers and special characters to them.
Avoid Guessable Words
Avoid using easily guessable passwords such as “password” or “user.” This includes not using adjacent keyboard combinations such as “qwerty” or “12345.”
Other Solutions for Implementing Good Password Practices
Use a Password Manager
In the corporate context, maintaining a comprehensive record of employees’ password history and logs is important. Written record-keeping is insufficient; robust management and protection mechanisms are equally critical. Organizations should implement a secure system capable of storing passwords while employing strong encryption techniques. Password managers allow passwords to be shielded from unauthorized access, assess their strength; monitor to ensure that they are updated regularly. Password managers to consider include Google Password Manager, NordPass, Dashlan, and LastPass.
Avoid Reusing Passwords
Implementing a robust password management strategy is crucial for safeguarding sensitive information. To mitigate security risks, refrain from reusing passwords across various applications and accounts. Doing so minimizes the potential exposure in case of a breach across different platforms. Additionally, when recycling an existing password, refrain from using it until after three complete password change cycles.
Password Sharing
Passwords should remain confidential and exclusively within an individual’s control. Disclosing passwords to others introduces an additional avenue for threat actors to compromise devices, thereby heightening vulnerability to attacks. Furthermore, using someone's passwords across systems poses significant risks. Not only does it grant an attacker access to multiple systems, but it also violates company policies and undermines the overall strength of password security.
Multi-Factor Authentication
Multi-Factor Authentication (MFA) is a critical security control in both corporate and personal environments. By introducing an additional layer of protection beyond passwords, MFA significantly reduces the likelihood of unauthorized access by threat actors. Even if an attacker gains access to a password, MFA acts as a stopgap. It requires the approval or entry of a secondary authentication factor (such as a time-based code, biometric data, or a hardware token) before granting system access. This layered approach enhances overall security posture and mitigates the impact of compromised passwords.
Password Policy
In a corporate context, establishing a comprehensive password policy is essential. This involves defining what constitutes a strong password, implementing password change cycles, prohibiting password sharing, and outlining consequences for weak passwords. By adhering to such policies, organizations enhance security posture and protect sensitive data.
Password Storing
Passwords should not be stored where they can be accessed by others. Password managers are a useful tool for storing passwords. If you prefer to physically write down passwords, keep them locked in a secure location.
?
What to Do if Someone Obtains Your Password?
Change Your Password
If you suspect that your password has been stolen, it is important to immediately change your password. If you use the same password across multiple accounts, it is highly recommended to change those as well. Implement a new robust password that is different from your previous password.
Sign Out from All Devices
Force a logout of your account from all devices to prevent further unauthorized access.
Enable Multi-Factor Authentication
Implementing multi-factor authentication methods will add an extra layer of security to your account on top of having a password. There are many forms of additional authentication including PINs, security questions, and biometrics.
?
What is Multi-Factor Authentication?
Multi-Factor Authentication (MFA) authenticates users using multiple verification factors. By combining two or more factors, multi-factor authentication makes it much more difficult for a malicious actor to obtain account or system access.?
Multi-Factor Authentication Examples
Multi-Factor Authentication methodology combines these three elements:
领英推荐
Knowledge
Knowledge is based on something you know. It involves anything you can easily remember and recall. Some examples include passwords, PINs, code words, combinations, and security questions.
Possession
Possession focuses on something you have such as keys, badges, smart phone, USB drives, token devices, etc. Some examples include badges, security keys, smart phones, USB drives, software tokens and certificates.?
Inherence
Inherence is a state or quality of being inherent, or a fixed characteristic such as your fingerprint or face. Biometric technologies use inherence to verify identity.
?
Multi-Factor Authentication Methods
Email Codes
When attempting to log into an account, a unique code is sent to the registered email address. The code is then entered on the login page to verify the user’s identity.
One-Time Passwords (OTPs)
One-Time Passwords are delivered through text message or phone call. When a user attempts to log into an account, an OTP will be sent to the phone number associated with the account. The OTP is then entered on the login page to verify the user’s identity.
Biometrics
Biometrics are the unique physical or behavioral characteristics of a user with which only they can be identified. Biometric verification methods include voice recognition, facial recognition, retina scans, iris scans, and behavioral analysis.
Security Questions
Security questions ask for information only the user knows such as the name of their first pet, hometown, or first employer. Security questions are a relatively weak form of validation and are best used in conjunction with a password.
Authenticator Apps
Authenticator apps are a newer, increasingly popular multi-factor authentication method that do not rely on a phone number or email address. These apps generate OTPs which can be entered on the login page to verify the user’s identity.
Magic Links
Magic links are sent to the user’s email address after the initial login attempt. This link is unique and can only be used for a short amount of time before it expires. The link can directly authenticate the user after it is clicked on.
Social Login
This MFA method allows users to authenticate using existing social media accounts such as LinkedIn and Facebook. Using this method requires additional security checks through OTPs and email confirmations.?
Smartcards and Cryptographic Hardware Tokens
Smartcards and cryptographic hardware tokens provide an additional layer of security that only allows users who have them in their possession access to a secure system. Smartcards are credit-card sized devices with an embedded chip that stores and processes data. Cryptographic hardware tokens are small devices that generate unique codes at set intervals, which is used to gain access to a system.
?
Other Types of Multi-Factor Authentication
Location-Based
Location-based MFA looks at the user’s IP address and geographic location, if applicable. If the information does not match with what is specified on a whitelist, the user’s access is blocked. Additional verification is required when an authenticated user needs to specify a location or IP change. Location-based authentication may also used as a supplemental form of authentication.
Risk-Based
Risk-based MFA analyzes additional factors by considering the context and behavior during the authentication process and calculating a risk level. To determine whether additional authentication is required or to block access completely, the user must answer questions like these
?
How to Set Up Multi-Factor Authentication
Websites and services often prompt users to provide a phone number, additional email addresses, and/or a backup code. These are paired with a password to provide an additional layer of security.
?
Summary
By following best practices for creating strong passwords and using tools like password managers and multi-factor authentication, you can significantly enhance your account security, data privacy, and identity theft prevention. Stay vigilant in managing your passwords to stay safe online.
?
References
?