What businesses can do to improve password security

Common misconceptions

Conventional wisdom holds that a good password is at least 12 characters long, contains a mix of upper and lower case, and includes numbers and symbols. However, as this famous XKCD comic illustrates, this advice can often produce passwords which are difficult for a human to remember and easy for a computer to crack.

A string of random English words makes for a much more secure password. Numbers, symbols and upper case letters can make a password stronger, as long as you avoid common pitfalls such as using predictable substitutes for letters (e.g. ‘4’ for ‘A’, ‘$’ for ‘S’) and putting capital letters at the start of words (e.g. ‘BigHouse95’).

Many login systems use complexity requirements which demand that a password contains at least one number and one capital letter. While this may be good advice, complexity requirements are not recommended. They reinforce the incorrect assumption that a password containing numbers and mixed case is automatically more secure than one which doesn’t.

Some businesses force their users to change passwords at regular intervals, usually every 30, 60 or 90 days. This is supposed to make passwords more secure but actually proves counterproductive, as users will choose simple passwords that they can remember with each change. If an account is hacked, it will probably be exploited immediately, so enforcing regular password changes is unlikely to make much difference.

Password managers

Another way to create good passwords is using a password generator, which randomly produces passwords of a given length and complexity. Such passwords are almost impossible to memorise though, so businesses are encouraged to train employees in password manager software, such as Dashlane or LastPass.

A password manager can keep track of every password a user needs, meaning that passwords can be much more complex and each user only has to remember one - the master password. The 'three random words' technique is a good way of producing a master password which is easy to remember but difficult to guess.

Using password managers also makes it easier for users to have a different password for every account, rather than reusing passwords. This reduces the impact if one account is hacked.

Extra layers of security

Businesses which don’t want to use a password manager are advised to reduce the password burden on their employees in other ways, such as using single sign-on and multi-factor authentication.

Single sign-on allows users to access a range of platforms via one login, meaning that they only have to remember one set of credentials. However, this does mean that a potential hacker would have more access if they cracked the password, so single sign-on is usually supported by multi-factor authentication (MFA).

MFA adds another layer of security by forcing users to provide more information. The classic example is a security question, although these can be problematic - information like “Mother’s Maiden Name” or “Place of Birth” is easily accessible to anyone who has social media. A one-time passcode sent to a mobile phone, or a fingerprint, is more secure.

Technical solutions

There are some simple technical solutions that businesses can implement to prevent hacking, such as throttling or account lockout. Throttling locks a device for an increasing length of time after several failed attempts, while account lockout completely prevents access and requires an account recovery method (such as calling a helpdesk) to unlock.

Security monitoring detects suspicious patterns which suggest hackers are trying to guess a password, including login attempts which fail the second stage of MFA, password spraying (using lists of common passwords to brute-force accounts), login attempts from unusual geographic areas, and unexpected throttling/account lockout.

Businesses can also implement password blacklisting to prevent users from choosing very obvious passwords, although a better way of doing this is to provide training to advise employees about how to create a good password and the pitfalls to avoid.

Conclusion

To summarise, here are the key points to improve your business' password security:

• Don’t assume that a password containing numbers and symbols is necessarily better than one which doesn’t.
• Don’t use complexity requirements or password expiry, as these reinforce bad security practices.
• Use a password manager to store secure passwords and reduce the burden on users.
• Use additional layers of security, such as single sign-on and multi-factor authentication, to strengthen account security - but don’t use obvious security questions.
• Combat hacking with throttling/account lockout and security monitoring.
• Provide employees with training so that they can create better, more secure passwords.