Why a culture of poor password hygiene continues to thrive

Poor password hygiene can lead to data breaches

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Passwordsremain the number one form of authentication, even though they can leave an organization vulnerable to attacks if appropriatecybersecuritymeasures are not in place. They’ve been around since the Internet was invented and are not likely to go away for years to come, despite the proliferation of ‘passwordless’ conversations generating some buzz.

Darren James is a Product Specialist and cyber security expert atSpecops Software.

Currently, there are billions of passwords available on the Dark Web, aggregated through various attack methods from brute force tomalwaretophishingthen used inpasswordspraying and credential stuffing attacks. Such attacks are successful due to the fact that 65% of users reuse passwords, according to a 2019Googlestudy. So, it’s really not a surprise that stolen or compromised credentials are one of the leading root causes of malicious attacks. In fact, according to IBM’s 2020 Cost of a Data Breach report, one in five companies that suffered a malicious data breach was infiltrated due to stolen or compromised credentials.

Passwords are oftentimes the sole key to unlock access to variousapplications, resources and sensitivedata, yet we still see poor password hygiene leading to some pretty major data breaches.

Poor password hygiene: out in the wild

So, what does poor password hygiene mean? Essentially, these are the mistakes that leave the door wide open for attackers. And given that security is not top of mind for users, the onus falls on IT to ensure that they are enforcing passwordsecuritywith solutions that prevent users from:

Even large organizations get this wrong. For context, several major breaches can be traced back to compromised passwords as the source of entry, including:

Poor password hygiene: why is this still a problem?

Poor password hygiene persists primarily because it is not being recognized as a problem or realized as a potential threat. For instance, a common misconception is that attackers typically target large organizations. In contrast, attackers do in fact target SMBs and have increasingly since the pandemic due to the accelerated adoption rate of online applications and remote technologies that can be prone to misconfiguration while lacking secure access policies. According to Verizon’s 2020 Data Breach Investigation report, SMBs experienced 417 incidents in 2020 with over half of those disclosing data.

Another misconception is that organizations feel secure when using two-factor authentication. Two-factor authentication is a security measure and not a fail-safe. Additionally, passwords are still the first factor as such, the password – should be as secure as possible.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

With the majority of organizations globally utilizing Active Directory (AD), the perception that fine-grained password policy in AD is enough is common. However, it does not eliminate the use of compromised passwords or remove the use of weak password construction patterns. Another common feeling is that implementing and enforcing a robust password security policy will be complicated or create user friction.

Simplifying password security

It’s true that implementing a secure password policy can create user friction such as users forgetting their password because now they cannot use things like the word password or falling back to poor password construction patterns. Therefore, it’s important to take the user experience into account to ensure the best security and user outcomes. The solution: remove the burden from the users and use technology instead.

Many organizations turn to NIST for guidance on this front. NIST recommends:

While recommendations provide a great starting point, it is essential to consider risk level. For instance, removing expiration guidelines can lead to a security gap as it takes organizations close to 300 days to identify a breach. So, if you’re not comfortable with removing expiry or are regulated by PCI or CMMC or any other standard that requires expiry and complexity, then you should look for technical solutions that can reduce the poor password hygiene issues these can create.

Things to keep in mind

When looking to implement a secure password policy, it’s important to consider the full password lifecycle from creation to reset/change. Therefore, solutions should:

Passwords aren’t going away any time soon - organizations simply do not have the infrastructure to support a passwordless ecosystem. Thus, it’s important that all industry recommits to putting a progressive password security strategy in place.

Darren James is a Product Specialist and cyber security expert at Specops Software.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Sihoo Doro S100 ergonomic office chair review