Passwords – who needs them?!?
This blog is part of our series on the Essential Eight and highlights the importance of multifactor authentication (MFA) to your cybersecurity posture.
As with all things technology, nothing stays the same. This is certainly true of password use, too. Although a simple username and password provided a reasonable security barrier for most people 20 years ago, this is definitely not the case today.
Many cybersecurity breaches are due to credential theft. Data breaches have become so common that people don’t even think twice when a global company has leaked millions of passwords to the Internet. Using the data from these breaches, Australian cybersecurity professional Troy Hunt has become famous for his website, https://haveibeenpwned.com/. The site allows users to check whether their accounts have been involved in any of the publicly known data breaches.
Poor password practices
A number of the problems with passwords stem from human nature. With the proliferation of accounts we need in the modern world, people tend to reuse the same password or use passwords that are easy to remember. This often equals poor password hygiene. When you reuse passwords, it makes those accounts easy targets, as attackers can successfully use the hacked credentials against other popular online services.
Research shows that traditional password policies, such as regularly changing passwords and enforcing complexity requirements, often results in poor password hygiene. This situation has led to a raft of new best practices on password use from big players, including National Institute of Standards and Technology (NIST) and Microsoft.
No passwords necessary
Google and Microsoft now offer passwordless authentication as a convenient and secure alternative for authentication. Several methods of passwordless login, involving different technologies, are available. Windows Hello, for example, can use biometrics with either an infrared (IR) camera to scan your face or the more traditional fingerprint scanner. You also have options to use an app on your phone that uses biometrics or a pin.
MFA all the way
At a minimum, companies need to enable multifactor authentication (MFA). This step alone provides a massive boost in security and will make phishing attacks significantly more difficult. Companies without MFA will get breached through password attacks! If your company is using Office 365 and Azure Active Directory (AD), you can immediately enable MFA using security defaults or Azure AD conditional access. Microsoft also provides Azure AD password protection that detects and blocks known weak passwords. You can extend this to your on-premise Active Directory environment.
Some NIST lists
Companies should also review and adjust their password policies in line with current NIST or Microsoft recommendations. Common methods, such as forcing regular password changes, are no long best practice.
In a nutshell, the NIST password requirements are
- set an eight-character minimum length
- change passwords only if there is evidence of compromise
- screen new passwords against a list of known compromised passwords
- skip password hints and knowledge-based security questions
- limit the number of failed authentication attempts.
In another nutshell, the NIST password recommendations are to:
- set the maximum password length to 64 characters or more
- skip character-composition rules; they are an unnecessary burden for end users
- allow copy-and-paste functionality in password fields to facilitate the use of password managers
- allow the use of all printable ASCII characters as well as all Unicode characters (including emojis).
If your company isn’t using MFA or has not recently updated its password guidelines, then it’s time to take action before it’s too late. If you need help, reach out to Tikabu at firstname.lastname@example.org.