EXECUTIVE SUMMARY:

Remember the infamous 2021 SolarWinds supply chain attack? Cyber criminals were able to coordinate the attack because an intern rendered the password ‘solarwinds123’ publicly accessible via a GitHub repository, in 2018. While this led to an extreme business compromise situation, SolarWinds is not the only organization that’s ever struggled with password management…

In fact, research shows that eighty-one percent of corporate data breaches occur due to poor password management — an avoidable problem that can cost an organization as much or more than $4.35 million, which is the average cost of a data breach.

Despite the seeming triviality of passwords, as evidenced by the SolarWinds episode, it can prove exceedingly difficult for organizations to recover – financially and reputationally – from password-based breaches. In this article, brush up on best practices for preventing serious incidents that start with a password.

7 tips for preventing password-based breaches

1. Leverage strong password requirements. Although no password is ever entirely hack-proof, longer passwords are challenging for cyber criminals to guess, decipher or otherwise exploit.

Require a minimum number of password characters, a mix of upper and lower case letters, numbers and special characters. In addition, due to the nature of cyber criminal tactics, consider disallowing the use of dictionary words, common phrases and personal information within passwords.

2. Enable multi-factor authentication (MFA). In the event that a password or multiple passwords are compromised, multi-factor authentication (MFA) provides an extra layer of security. MFA should be applied for all user accounts and critical systems.

One factor in the MFA model is typically a standard password – something that the employee knows. While another factor, like a code received via text, is generally something that the employee has. Biometrics can theoretically represent yet another factor, however, experts advise against widely applying biometric authentication mechanisms for security purposes.

3.“Hashing” and “salting” passwords. These protocols are recommended by the National Institute of Standards and Technology (NIST). In case the terms are unfamiliar, NIST defines a hash as “a function that maps a bit string of arbitrary length to a fixed-length bit string”. In other words, the practice of hashing effectively scrambles the password characters in a way that ensures that a database never exposes a list of plain text passwords to cyber criminals. Salting involves adding supplementary data to passwords ahead of hashing, rendering stored passwords particularly challenging to exploit.

4. Educate and empower employees. Ensure that your organization’s employees are aware of common phishing tactics used to gain passwords. Emphasize that hackers commonly pose as trustworthy parties and/or may send users malicious webpages through which to input credentials. When it comes to employee education, review a variety of plausible scenarios through which cyber criminals may attempt to pinch passwords. Empower employees to protect their credentials.

5. Leverage a lockout mechanisms. NIST suggests locking a user out of password protected accounts in the event that an incorrect password has been input multiple consecutive times. NIST says that no more than 100 login attempts should be permitted. Many organizations opt to lock accounts after three to five incorrect login attempts.

6. Apply the principle of least privilege. Provide employees with the privileges that they require in order to effectively complete job requirements. Avoid providing employees with superfluous permissions. This way, in the event of account compromise, the damage will likely be limited.

7. Respond to suspicious activity. Set up alerts that can provide your team with information about suspicious activities, such as a substantive series of failed login attempts from unfamiliar locations. Ensure that your team investigates and responds to these alerts, as this will help prevent potential breaches.

For more password security insights, please see CyberTalk.org’s past coverage. To receive inspiring cyber security insights, groundbreaking research and emerging threat analyses each week, subscribe to the CyberTalk.org newsletter.