EXECUTIVE SUMMARY:

National Change Your Password Day is celebrated on the first of February each year, as a day of awareness.

As you already know, credential exploitation is unbelievably profitable for cyber criminals. More than 775 million credentials are currently available for sale on the dark web. Bank account details sell for more than $4,000 each.

Regular password rotation, combined with adherence to password creation best practices, prevents hackers from guessing passwords, using tools to crack passwords, and from effectively weaponizing credentials purchased through underground marketplaces.

National Change Your Password Day might not have the allure of other holidays (the naming consultants were apparently on vacation when it was created), but the day serves as a reminder for organizations to enhance password security measures.

Unauthorized organizational data access could result in lost revenue, lost market share and lost company credibility. But stop losing sleep over it. Upgrade your password security strategy with the following tips:

7 easy password security upgrades that you can implement today

1. Identity and access management (IAM). Automated identity and access management solutions boost security and provide administrators with greater control over users’ access to systems.

In turn, IAM empowers organizations to prevent identity theft, to limit data loss, and to stop unauthorized access to sensitive business data.

2. Educate employees about best practices. Remind in-office employees to avoid writing passwords down on sticky notes. Tell employees not to save passwords to browsers, as a wide range of malware and extensions can extract sensitive data from them.

Inform employees about the risks of using the same password over and over again, with different numbers at the end. Explain that hackers know that people commonly end passwords with exclamation points. Reinforce information about the risks associated with sharing login credentials.

These are just a handful of specific, yet extremely important, things about which to educate employees.

3. Limit the number of allowed password attempts. While it’s true that employees occasionally forget their passwords, cyber criminals are liable to exploit access attempt opportunities for their own gain.

In a classic example, a cyber criminal may obtain an employee’s email address, and then request a password reset. Depending on the reset set-up, the cyber criminal may attempt to match the recovered password to a variety of different accounts and systems, in an effort to break in.

Placing a limit on the number of allowed password attempts increases password security, as it reduces the chance that someone will successfully manipulate systems by matching a password and usernames.

4. Audit systems for extraneous employee accounts. Occasionally, employees create backdoor access to computer systems, for legitimate purposes, by creating multiple user accounts.

The extra accounts enable employees to perform additional task functions for the enterprise. However, if an employee with multiple accounts for a given service leaves the organization, they can potentially use the accounts as access points for unauthorized entry into network systems.

Organizations should audit network systems where possible and delete extraneous accounts.

5. Consider password management tools. The majority of web browsers do offer basic password managers these days. But, they don’t offer as much value as dedicated password managers.

Password managers generate extremely strong passwords. Some password managers also offer passwordless authentication support, meaning that people can login with a one-time code, biometric authentication, a security key or Passkeys.

While there isn’t a 100% secure password management solution, password managers can serve as a useful support mechanism within a broader cyber security framework.

6. Ensure that two-step authentication has been implemented. Also known as multi-factor authentication, two step-authentication adds complexity to the login process, making it more difficult for a cyber criminal to gain illicit account access.

Two-step authentication enhances the overall resilience of digital identities and also helps to foster a culture of cyber security, as two-step auth means that users must actively participate in fortifying their online presence.

These days, two-step authentication is considered an essential element of a robust password security strategy.

7. Advanced anomaly detection systems. These types of systems can identify irregular patterns in login behavior. These include unusual access times, duplicative access, and logins from unfamiliar locations.

Admins can set up corresponding alerts and notifications. Personnel should regularly review and analyze logs generated by systems and are encouraged to take proactive measures in order to address any apparent risks.

Further information

If you’re wondering about the security of your accounts, or those within your organization, Google’s Password Checkup can show you which Google email addresses and passwords have been compromised in a breach. Another site that can be used to reliably detect compromised email addresses and passwords is Have I Been Pwned.