Just about every service in our lives requires us to log in using a password. While we may think our passwords are unique and complex enough for no one to guess, there are significant flaws in relying solely on passwords to protect our most sensitive data. Passwords aren’t secure enough for organizations to trust to safeguard their accounts and information.
Why passwords aren’t secure without additional safeguards
Some problems inherent with trusting passwords alone include these points:
- Weak passwords are easy to guess and can quickly be cracked by attackers using automated tools.
- Complex passwords are hard to remember, which means the user may write it down in a place that others can see. The underside of a keyboard is not a secure place to store sensitive notes.
- Reusing passwords: It is easy to remember only one or two strong passwords. Because of this it is common for people to use the same passwords across different systems (social media, banks, news, streaming services, etc.).
- Data breaches: We regularly hear news about sites being breached and user data being stolen, despite many protections in place. This is especially bad when the stolen password has been reused across different systems, making it easier for attackers to reach multiple networks.
- Malicious software on a system can log passwords by logging keystrokes or tricking the user into supplying credentials by mimicking a website.
Relying on passwords alone for security is a dangerous practice which can expose businesses to significant risks. All the concerns listed above can cause significant harm to the organization resulting in costly downtime, loss of data, or even your sensitive data being leaked to the world.
What is the long-term solution?
To mitigate risks, businesses should ultimately adopt a more secure and user-friendly approach to authentication. Adopting a Zero-Trust approach to cyber security should be pursued by every organization.
There are three guiding principles of Zero Trust that sum up its practice within an organization:
- Least-privilege access: Data should only be accessible by those who really need to see it, and only when they need to.
- Explicit verification: Identity needs to be verified every time access is granted, based on every available data point.
- Assumed breach: A crucial shift in perspective in the Zero Trust framework is to assume that you have been or will soon be breached. This mentality puts you in a position of readiness to defend and respond.
Infused Innovations is a true security partner focused on a Zero-Trust approach and can help you plan and implement multiple layers of security to minimize risk at every level. In addition to a very comprehensive endpoint security strategy, this often includes layering baseline security, data retention, conditional access, information protection, data loss prevention, and more. A good starting point may be planning and budgeting for Zero Trust.
For more about Zero Trust, take a look at Facts and Misconceptions About Zero Trust.
But what can be done in the meantime?
Luckily, there are some relatively straightforward steps your company’s users can also adopt to protect themselves today. While this is in no way a replacement for a full security strategy, these are steps in the right direction that can have a positive impact on security and privacy.
- Use passwords that are strong and unique.
- The longer the password, the better (at least 12 characters).
- Passwords should be complex and include special characters, numbers, and both upper and lower case letters.
- Avoid using guessable words or phrases that are meaningful to you such as sports teams, family member/pet names, and birthdays.
- If you’re having a hard time making your password long enough, use a phrase instead of a single word as the basis for your password.
- Leverage password-less authentication where available. This removes the password from the equation and requires a more secure way to authenticate.
- Multi-factor authentication (also known as 2 Factor authentication, MFA, and 2FA) should be turned on EVERYWHERE it is available. This will help prove the user is who they say they are by not only requiring credentials, but having a device that only the user should have. Ideally this would use an authenticator app, but using TXT/SMS or email is still better than no MFA.
- Avoid the reuse of passwords.
- When you use different passwords in different sites, the risk of your data being compromised from any single site/service being breached is minimized greatly.
- Using a password manager software or app can help you keep all your passwords for your different sites. Many of these apps can even automatically enter your credentials for you, making the login process easier.
- Watch out for phishing and scam emails. If you’re not already employing a security awareness training and testing platform at your business, start today. For some examples, read Fake Bosses, COVID-19, And Darth Vader: Interns Learn To Safeguard Against Every Threat.
Comprehensive cybersecurity strategies are critically important and complex. Get help planning your strategy!
If switching to a Zero Trust model still feels like a lot to you, you’re not alone. Let us know if we can help—it’s our mission to empower companies to build the strongest foundations for success and growth. And look out for our upcoming blog post on the return on investment you can get by adopting a Zero Trust framework.