Foresight 2020: Implement passphrases and a strong password management process

Passwords are the first defense to protecting private information. It is important to implement strong passwords to make it difficult for outsiders to breach that wall and gain access to sensitive information. Having a weak password leaves not only the user at risk, but when dealing with a company managing any private data, the company is susceptible to hacking which can cost thousands of dollars or even millions of dollars. Over 83% of Americans have weak passwords and 53% of Americans use the same passwords for multiple accounts.  

Here we discuss the common mistakes used when creating a password and provide some tips on creating a strong password.

Most Common Mistakes in Passwords 

Many people include personal information that can be easily found on social media as passwords. In 2019, the UK’s National Cyber Security Center revealed that the top 3 most hacked passwords were “123456”, “123456789”, and “qwerty.” 

Below is a list of common mistakes used in weak passwords:

• 16% of Americans use their name or a family members name 
• 15% use a pet’s name 
• 11% of people use their birthday 
• 8% use words related to a hobby of theirs 
• 5% use part of their address 
• 4% of Americans use the name of their favorite book or movie 
• 3% use celebrity names 
• 3% use the name of the website the password is for 

How to Tighten up Security Through Password Management

1. Follow a password policy. More complex passwords should be used especially by privileged users and executives. Frequent password changes and the use of passphrases should be implemented. This will make it hard for hackers to sell password and username lists to other people who wish to breach your data. 
2. Use passphrases instead of passwords. Unlike a password which is only one word, a passphrase is a string of words used to gain access to a system. It is commonly known to be much harder to guess and with password cracking algorithms being less effective after 10 characters, passphrases tend to be more secure. Passphrases can contain complex rules, they are sensitive to punctuation, symbols, numbers and capitalization. Major operating systems such as MAC OS, Windows, and Linux allow passphrases to be up to 127 characters long. Passphrases really do give a user the ability to make their password very difficult to break. 
3. Implement your password policies into your systems. To help users remember passwords, a secure, encrypted password manager designed for business may be used. The system administrator should implement rules requiring passwords to be changed every 90 days and passphrases every 180 days. Password managers are also great to keep track of passwords to ensure they are not reused.  Here are some more additional steps that can be taken to improve password security: 

1. 1. Configure the minimum character length for passwords to be 10, and 15 for passphrases.
   2. Enable complexity requirements for both passwords and passphrases.
   3. Reset admin passwords every 180 days.
   4. Use strong admin passphrases for all domain admin accounts. 

The Takeaway

Hackers have found many methods to breach your data. You should take the utmost precaution to enhance your security.  In another blog post, we talked about the advantages of using single sign-on to help consolidate password management for your organization. Implementing a strong password management process is one of the first steps you can take to practice good cybersecurity. Take the extra time to set up complex passwords and passphrases and implement a strong password policy on your systems.  These steps are also aligned with the National Institute of Standards and Technology (NIST) SP 800-63-3 guidelines for passwords.