You might not know it, but the word hygiene has Greek mythology roots. Hygieia was a daughter of Asclepius, who you probably also didn’t know was the Greek god of medicine. Hygieia was the goddess of health, cleanliness and sanitation, and so that pretty much makes sense in as far as where the word comes from. We all know how it’s important to brush our teeth everyday, but apparently it’s possible to be healthy, clean, and entirely sanitized with those digital gatekeepers we call passwords.
We’ve all seen password suggesters that give you an idea of how suitably strong your password is, but maybe far to many people are going with 54321 or something of the sort. Here at 4GoodHosting we’re like any other good Canadian web hosting provider in that we’ve come across all sorts of stories of password failures over the years and we try to make a point of giving customers some insights into good practices for the digital world if they need them.
And apparently the need is there. Passwords are still the primary form of authentication, but done poorly they can leave you vulnerable to attacks if your cybersecurity is not up to scratch. Passwords get stolen, and it’s happening a lot more often nowadays. They’re obtained by all sorts of underhanded means, and you may have some of yours that aren’t exclusively in your possession anymore too.
Billions Out There
At present there are billions of passwords available on the Dark Web, collected via various attack methods ranging from malware to phishing for them. Many are then used in password spraying and credential stuffing attacks.
The primary reason this is able to happen, according to web security experts, is that around 65% of users re use some of their passwords. That’s highly inadvisable, and if you do it then you put yourself at risk of stolen or compromised credentials. There’s another estimate that 1 in 5 companies who suffered a malicious data breach had it happen because of stolen or compromised credentials.
So what is poor password hygiene? It’s really any type of choice or omission with setting or sharing passwords that leaves doors wide open for attackers. If you’re the IT department with what you’ve got going on, your lack of knowledge about good password practices may be putting you at risk.
Put Effort into It
Choosing weak, easily guessable passwords like common keyboard patters or passwords that are obviously connected to an organization name, location or other common identifiers is where a lot of people mess up. Another common move is changing passwords only by adding sequential characters at the end. An example would be changing password1 to password.
A great example of this is what happened to the Marriot hotel chain. Just last year attackers obtained the login credentials of two Marriott employees and then compromised a reservation system and ultimately exposed payment information, names, mailing addresses, and much more for more than hundreds of millions of bonehead customers.
Why It Continues
Poor password hygiene is continuing to be a problem because it’s not visible enough as a problem or a potential threat. And thinking that attackers are only interested in targeting large organizations is incorrect too. Attackers do target SMBs and do it more often with the increasing frequency of online applications and remote technologies that can be compromised fairly easily a lot of the time.
The security of two-factor authentication is overrated and another common misconception for people. Two-factor authentication is a good security measure, but it’s certainly not fail safe. You still need your password to be as fully secure as possible.
And with Active Directory (AD), there is the belief that their password policy in AD is going to be sufficient. But it does not eliminate the use of compromised passwords or have anything to indicate the use of weak password construction patterns. You also shouldn’t think that implementing and enforcing a robust password security policy is going to create any degree of user friction.
Simplifying Password Security
Here are some fairly solid recommendations:
- Choosing a password with a minimum length of 8 characters to encourage the use of longer passwords
- Removing password expiration and complexity
- Screening new passwords against a list of passwords known to be leaked / compromised
You also need to take risk level into account. Removing expiration guidelines can lead to a security gap given how long it takes organizations to identify a breach. It’s a good ideal to go with technical solutions that can reduce the poor password hygiene issues these can create.
Other good practices are:
- Eliminating the use of common password construction patterns
- Support user-oriented features such as passphrases (more memorable longer passwords) and length-based password. This also promotes less frequent password expiration because of how lengthy and strong the passwords
- Continuously blocking use for leaked passwords
- Making users able to reset their passwords with MFA (multi-factor authentication) from anywhere,
- Work with existing settings you already use such as Group Policy
This is something that you want to be proactive about, and it’s really not asking too much of people to come up with a more solid and secure password. Go through what can happen if you have a weak password and you’ll know why that’s a headache you really want to avoid.