Let’s build on the prior blogby looking into some specific password security issues and solutions that we can use to strengthen our approach now and in the future.
Password Change
Typically, applications within your organization require a password change every three months.
There are mixed recommendations from security specialists regarding this topic.
On the one hand, cybersecurity specialists recommend that we do not change passwords as long as they are used properly (strong passwords, passwords not shared among users and applications, and a secure environment). This is because most individuals will create passwords using some predictable pattern by incrementing a digit or character. Those kinds of password changes do not improve security. They might actually weaken it.
At the other end of the spectrum, specialists recommend changing the password at least every 90 days.
The 90-day recommendation is based upon a calculation made 20 years ago that determined this is the amount of time it will take to break an 8-character password using brute force. But that was long ago. Using multiple cloud computers hackers can break hashed passwords in a matter of seconds.
Here are our recommendations
Change passwords every three months if:
A password has been shared among users, password change prevents someone who no longer needs access to information.
A computer has been lost or changed, a new password would prevent someone from accessing networked/internet applications if the password is stored on the computer.
If you suspect that a password has been compromised, change the password immediately.
How to communicate User IDs and passwords
The best way to protect access to a password is to ensure it is accessible and known only to the user.
In order to do that, each application should store passwords not as plain text in a file or database but as hashed content that remains inaccessible even to IT people. In case of a data breach, password information will not be accessible to the hacker.
In addition, this requires that the application allow users to create accounts and change passwords without the need for an IT administrator to have, access to password information. The fewer people who have access to passwords, the more secure your environment is.
In some cases, passwords must be shared among users. For example, when sending an encrypted file to your co-worker or vendor. Never send a password using the same mechanism that you share data or user ID.
If you send data or user ID via email, text the password to the user. Better yet, split the password into 2 parts and send it separately using 2 different methods. For example, the 1st part can be sent via Skype, while the other half can be sent via phone text.
Phone as a Password
84% of the world's population has a smartphone. And without a second thought, many of us utilize facial recognition or fingerprint scanner to gain access to our phone system.
Not only have such biometric authentication factors been identified as secure and reliable, but they are also convenient for users to adopt. We can feel reassured that we no longer need to remember and type a password to gain access.
This month, Apple, Microsoft, and Google announced that they will be adopting the FIDO standard on all their platforms next year. Once it is implemented password-less sign-in to websites and applications will be available everywhere. The standard allows users across Windows, Android, and iOS to use their smartphones to sign in to their internet applications without entering a password. Hackers will need physical access to the user's phone to bypass authentication and login.
The new approach will be more secure than password protection or multi-factor technologies.
In the meantime
Utilize strong passwords. Long and varied passwords are the most secure type
Do not share passwords among applications
Utilize multi-factor authentication
Commentaires