Rohan VaidyaJun 07, 2019 12:27:15 IST
Password security has been ignored for a long time by many organisations. People are usually careless with password management, even though they are aware of the consequences of having a weak password. The lack of strong passwords, a failure to change (or rotate) passwords on a regular basis, human error and the most significant flaw — password reuse — are among the main issues which companies face today.
Passwords are frequently the first line of defence for the endpoint such as the workstation, laptop or smartphone where one starts with his/her workday. This is the first point of contact which the employee has with his organisation’s system and, if compromised, can jeopardise the entire organisation. A compromised endpoint is the first step in an attack, so any flaw in its security defences become a serious issue.
Due to this reason, many companies are looking for a way to kill the password once and for all. Today, password attacks come from all angles. Some programs can crack complex passwords in just a few seconds. The most common types of attacks we see today are sophisticated phishing and spear phishing attacks, social engineering, brute force attacks, and malware exfiltration attacks. Often, these attacks are aimed at stealing privileged credentials.
It’s not surprising that there have been a number of attempts to replace the password altogether. Recently, Google initiated a “passwordless” pilot program that provides remote access to their employees. Microsoft already declared “an end to the era of the password” at its 2018 Ignite Conference. Yahoo also tried to kill the password back in 2015 with their “Account key,” which was a push feature. While these innovative alternatives will be adopted over time, it is going to take some time before we reach a passwordless nirvana.
Here are some of the best practices for IT admins and security teams to make sure end-user passwords are not compromised in the meantime.
Fact: Long password with nonsense phrase increases the difficulty for hackers to crack it.
Use a strong password – Hackers use multiple methods for trying to crack your password. Strong passwords contain several types of characters such as commas, percent signs and parentheses, as well as upper-case and lower-case letters and numbers. The longer and more complex your password is, the longer time and effort the attacker will take to crack it. If your password combination is not in the dictionary or in any published literature, then that combination will become very hard to crack. It is also advisable to not use sequential letters on keyboard such as numbers in order etc.
Fact: More than 50 percent of IT professionals reuse passwords across multiple accounts
Use a unique password for different accounts – If you use the same password on multiple sites or accounts, even if your password is long and complex, your information can be easily used to get into any of your other accounts. A hacker who can access any one of your accounts will then be able to make all your other accounts vulnerable. It is advisable to use unique passwords for every service and account. The more sensitive your data is, the more often you should change your password.
Fact: Multi-factor authentication makes it hard for attackers to crack
Use multi-factor authentication – This means that multiple types of authentication are required to unlock the account. The first part of the authentication process requires something the user already knows such as a password. The second part of the authentication process involves something the user doesn’t already know, such as a code sent to the mobile phone by authentication software or created by a designated application on the phone. This code becomes the other half of your login authentication and helps in guarding the account from attackers. Now, even if attackers manage to get your password, without this code of the authentication, they won’t get access to your account.
Fact: Rotating local admin passwords reduces risk at the endpoints
Address the risk of local admin accounts on workstations — IT teams commonly share admin rights as well as passwords to share workloads and duties seamlessly. But weak passwords and end users with local admin rights on their workstations represent a significant security risk for organisations. Many attacks start on endpoints where hackers initially gain access through a phishing attack or when an employee inadvertently downloads and executes a malicious application.
In many cases, the main aim of the attacker is to compromise the privileged credentials that reside on workstations. Privileged credentials — such as admin rights — can allow attackers to move laterally until they can secure credentials to the system with sensitive PII or intellectual property. To reduce this risk, organisations must rotate local admin credentials (including the OS build in local account) on a regular basis as an important security measure. Over time, organisations must consider removing local admin rights from the end user workstations in order to reduce the risk of attacks from the endpoint.
The author is regional director, Sales, India at CyberArk