Password Security in 2022 - What you need to know

In this age of hacking and cyber-terrorism, your company's data is a target. And it doesn't take much for a hacker to break into a network and wreak havoc. The stakes are high. What do you need to know about password security?

This blog post will cover (almost) everything that those with responsibility for IT should know about passwords - from the basics to the latest trends in protection. We'll discuss password best practices and give you all the information necessary so that you can make informed decisions when it comes to protecting your company's assets from hackers and other threats.

While this guide is aimed at those responsible for an organisation’s IT security it’ll hopefully be useful to anyone interested in password security or those just trying to understand why so much emphasis is put on their company’s IT security policy.

Why password security is important

Hopefully this will be pretty obvious so I won’t go on about it, but it can’t hurt to briefly run through it again…

Passwords have been with us for a very long time and will likely be with us for quite a while longer. Despite their obvious flaws, they’re still ubiquitous.

Passwords and usernames/email addresses (credentials) are often the first line of defence between your organisation’s sensitive data and the army of cyber-criminals trying to access it.

Gaining access to precious corporate data using credentials found via social engineering (mechanisms such as phishing and smishing) is still the most common cause of data breaches.

The risks to your organisation of a data breach are not only related to the sensitivity of your data were it to get into the wrong hands. With the rise of ransomware, you also need to consider the implications of losing access to your own data.

Weak passwords and poor password security can effectively leave the door open to cyber-criminals so if IT security is your responsibility you can’t really afford to ignore it! It’s also one of the simplest things to fix in the often highly complex world of IT security.

How to improve password security

There are lots of ways to increase the password security of your organisation. Some of them require quite a bit of technical knowledge to implement but there are also some pretty simple ones too. Most of them are relatively cheap to implement, at least compared to the potential cost of a security breach!

What does a strong password look like?

A strong password follows a few simple rules. It should:

1. Be a sensible minimum length (at least 12 characters)

2. Be difficult to guess (i.e. not contain your name, email address, significant dates, phone numbers or other information related to you or your company)

3. Be original (i.e. not previously exposed in a data breach and not used anywhere else)

4. Contain a mix of lowercase and uppercase letters, numbers and symbols

   NOTE: Both the British NCSC (National Cyber Security Centre) [1] and the US NIST (National Institute of Standards and Technology) [2] have published guidelines suggesting password complexity not be used as a factor in determining the strength of a password.

We recommend a minimum of 12 characters for a secure password which (if it follows the rules above), will take at least 3 weeks to crack in a brute-force attack.

The restrictions placed on a password should be flexible enough to accommodate different types of passwords. For example, some people may find a password made up of a few random words easier to remember than a much shorter string of random characters. An 18-character password of just lower-case letters will take around 23 million years to crack!

Try the JDLT password checker & generator to

1. Check how secure your password is
2. See whether it's been exposed in a data breach
3. Generate a new memorable password based on the NCSC's recommended approach [3]

Password managers

Password managers are SaaS products that manage the ever-increasing list of credentials most of us use in our working (and personal) lives.

When it comes to password managers, something is better than nothing. A basic password manager will mean that you don’t have to remember your credentials and in-built password generators can easily generate new secure passwords when required.

These days they will also often tell you if your credentials have been leaked in a security breach and prompt you to change the related password.

There are plenty of password management options out there, but they generally fall into two categories:

In-browser password managers

Although browser-based password managers are improving, they generally don’t have a lot of the really useful features of many 3rd party products.

They often have significant disadvantages over 3rd party products such as the fact that they lock you in to a particular browser. If you regularly switch browsers, for example if you use Chrome on Windows and Safari on your iPhone this kind of solution probably won’t work for you.

However, most significantly, in-browser password managers can be abused. Malware can be hidden inside malicious browser extensions which can be used to steal your credentials. The latest example of this happened right at the end of 2020.

There are other features that you usually miss out on when using a browser-based password manager which are covered in the next section:

3rd party password managers

• Cross platform and browser

  If you're going to use a password manager you really want one you can use across all your devices. It's a pain finding you've generated a highly secure, random password, saved it to your password manager but can't access it on your phone!

• Ability to share passwords

  Despite it generally being bad practice, it may be necessary to have some passwords which are shared. For instance passwords for emergency accounts. Password managers often come with the ability to share credentials between accounts, often without even revealing the password to the person you're sharing it with, maintaining security.

• Auditable

  Many of these platforms allow managers to audit their team's use of the software, seeing if they're reusing passwords, have insecure passwords, or even if they're not using the software at all!

• Enforcement policies/rules

  Many rules can be specified which maintain a level of security. For example, prohibiting exporting data, or the reuse of master passwords, or requiring a unique master password.

• Share credentials across sites

  Credentials that are used across multiple sites can have their credentials easily shared without creating duplicates.

• Add notes

  It may be useful to be able to add notes to accounts, for instance if an account requires a password which needs to be quoted over the phone.

• One-click change of credentials

  Some password managers allow the credentials for specific sites to be changed with a single click.

NOTE: It’s worth mentioning that a password manager is only as secure as the master password used to access it. So, it’s really important that if your organisation uses a password management solution you set out some clear rules around master passwords. Or even better, where possible setup rules to enforce those policies (most 3rd party password managers offer this option).

These should include policies like:

• No re-use of master passwords
• Master passwords should have minimum complexity rules making them more difficult to crack
• MFA should be mandatory on password management tools
• Master passwords shouldn’t be written down

In a recent Microsoft Twitter poll, one in five people reported they would rather accidentally “reply all”—which can be monumentally embarrassing—than reset a password.

Multi-factor authentication (MFA)

This is the second most important step in securing your users’ logins and is usually pretty simple to implement. It’s also sometimes referred to as two-factor authentication (2FA).

The way this works is by requiring at least two authentication mechanisms (factors) before granting access to a resource. This means the user must be in possession of not just the relevant credentials, but also another piece of information which is not easily accessed.

Username/password credentials are usually the first factor and the 2nd factor can be one of a few things. The most common 2nd factors are:

• An SMS message with a unique code
• An email with a unique code
• A unique code generated by an app (usually on a mobile phone)
• A USB or NFC hardware device the user has access to
• Biometric verification from a mobile device (e.g. facial recognition or a fingerprint scanner)

NOTE: It's recognised that SMS is not the most secure 2nd factor, but it still offers a much higher level of security than not using MFA at all. However, if you can use alternatives to SMS, it's recommended that you do.

Any security-conscious software will have MFA built-in these days. In some cases it’ll just be a matter of turning on and configuring MFA settings. However, it’s becoming more common to have MFA turned on by default, or even mandatory given how much additional protection it can give.

MFA setup can be more complicated depending upon the types of factor supported. Some users can also find It a bit of a pain as it can require registering a separate device and can often increase the time it takes to login to a system.

On balance, given the increased level of security and peace of mind MFA can give to those responsibile for an organisation’s security, it’s usually worth the trouble.

Single sign-on

Single sign-on (SSO) enables your users to use a single password to access multiple accounts.

The primary benefit of SSO to your users is that the number of credentials they need is reduced. There are also multiple benefits to your organisation of this approach.

The idea is that you allow a single provider to manage the login for multiple systems. For example, if you use Microsoft Active Directory (AD), you can use this solution to grant your users access to other corporate resources. These can be any corporate resources that support SSO, such as Google, Apple, Salesforce, Zoom and plenty of others.

This takes a bit of setting up but once you get the hang of it it’s not too difficult, and importantly it saves your users hassle and increases security.

An additional benefit of SSO is that if your user forgets their password, or leaves, your IT team have a single place to reset the password or disable the user account.

Having a single mechanism of authentication for multiple systems also makes user onboarding and offboarding significantly simpler for obvious reasons.

Cyber Essentials password policy

Cyber Essentials is a scheme backed by the NCSC that helps protect organisations of all sizes against a whole range of the most common cyber attacks. Cyber Essentials assessment and certification is a good measure of whether an organisation has implemented basic security controls.

Cyber Essentials require a company to have a password policy. In fact, a password policy is the only mandatory policy document required for certification so it's considered pretty important.

Most of the policy requirements relate to creating a strong password but also include the requirement to provide "usable secure storage for passwords". The simplest way to do this (and to enforce high-quality passwords) is to use a password manager.

Passwordless authentication

The death of the password has been predicted from as far back as 2004 by Bill Gates, and it’s been predicted many times by many others since then.

However, it’s not until relatively recently that major authentication providers have embraced passwordless technologies.

Passwordless login is similar to MFA in the sense that it uses multiple factors to authenticate a user. The key difference is that it doesn’t require a password. It usually uses public-key cryptography to identify and authenticate a user.

This means that the user provides their public identifier (email address, phone number, or username) and at least one other factor (containing their private key) to identify and authenticate them.

Significantly, in March 2021 Microsoft made passwordless sign-in generally available to commercial users. They have since (September 2021) made passwordless sign-in generally available to all users.

This may well signal the beginning of the end of the road for passwords, we’ll have to wait and see! Either way, passwords will certainly be with us for a while longer.

UPDATE: To understand more about how passwordless authentication can be implemented in a Windows environment, read our Zero-Trust endpoint security case-study.