SAN RAFAEL, CALIFORNIA – As the use of online services, personal computers, smartphones and tablets has risen over the years, so has the number of passwords that users must remember. Research conducted in early 2020 has shown that the average person now has 70-80 passwords. Implementing password hygiene tips are now more crucial than ever.
Bad password hygiene can be exploited by an attacker in a variety of different ways:
- By tricking someone into revealing their password (e.g. phishing).
- Password spraying or brute-force attacks. Password spraying is where a small group of common passwords are used against many accounts, and brute-forcing is where many passwords are used on a single account or a small group of accounts.
- Using stolen passwords. These can be found from leaked data breaches, by stealing a password hash file, discovering insecurely stored passwords or by using a keylogger or other means to intercept passwords as they are transmitted or typed.
- Shoulder surfing, where an attacker observes someone typing in their password.
- Manual password guessing. This is easier for an attacked if you are using passwords that include personal information (e.g. your pet’s name of an important date).
Evolve’s Top 5 Password Hygiene Tips
1. Reduce Your Reliance on Passwords All Together!
• Utilize Single Sign-On (SSO), hardware tokens, and biometric authentication whenever possible.
• Enable Multi-Factor Authentication (MFA) on all accounts. Period.
2. Next, Implement Technical Solutions
• Use account lockout or throttling to defend against brute force attacks.
• Consider security monitoring for brute force attempts.
• Blacklist certain commonly guessed passwords.
3. Protect All Passwords
• Ensure all web apps use HTTPS to protect passwords in transit.
• Protect any access management systems and user databases.
• Always change default passwords.
4. Don’t Succumb to Password Overload
• Use a password manager to securely store and manage passwords.
• Only ask users to change passwords on indication or suspicion of compromise rather than enforcing regular password expiry.
5. Help Users Generate Better Passwords
• If a password manager is used, encourage the use of a built-in password generator.
• Prevent users from setting short passwords; do not limit length.
In review, Evolve hopes this advice can assist you in securing your organizational approach to passwords and authentication by placing a greater reliance on technical defenses and in-house processes. At the end of the day, passwords should form just one part of your access control and identity management approach.