End-User Guidelines for Password Security

end-user guidelines for password security

You can save your job and reputation by following the guidelines of end-users for password security. Passwords are still a popular security measure for authorizing and authenticating access to online resources. You are at risk if you don’t follow the proper guidelines for password security.

As many possible passwords are available, there are strong opinions about password security. Different companies have different standards for acceptable and unacceptable behavior in password security. When using password-secured systems, users can think of a variety of best practices.

Password Security

As an authorization mechanism, passwords are used everywhere. The world of security is constantly changing. What companies consider secure today may be compromised tomorrow. Passwords are a weak link that can lead to a variety of cybersecurity vulnerabilities.

There is a new wave of phishing attacks that aims to steal passwords and dupe users. Individuals are targeted by password thieves when they download malicious files in phishing emails. These emails have affected tens to millions of people. Hackers also use browser extensions and malicious programs to search for login data. This allows them to access multiple applications and systems that a victim is connected to.

These attack trends require system developers and users to be aware of the latest trends and best practices in password security.

Users Make Everyday Password Errors

• Password reuse

Despite increased awareness about password security, many end-users continue to reuse passwords and seldom change them. A survey conducted by Google in partnership with Harris Poll revealed that password reuse remains a widespread practice. Fifty-two percent of users reuse the same password across multiple accounts. 35 percent of users use a unique password across all accounts. Surprisingly, 13% of end-users use the same password to access all accounts.

Microsoft analyzed a database of 3 billion credentials that had been publicly released to find users who reuse passwords. The assessment showed that 44 million Microsoft users had resorted to using login data within the first three months. If a third-party service is subject to a data breach that results in the loss of user credentials, it can inadvertently expose other accounts, even if the password was complex.

• Use of default and easily guessable passwords

Recent account compromises have been caused by default and easy-to-guess passwords like admin1234, 12345, and admin1234. SplashData’s Worst Password List, which was compiled from over five million stolen passwords, revealed that “123456 and Password” were the most common and worst passwords.

The Payment Card Industry Data Security Standard, (PCI DSS), encourages end-users not to use default passwords provided by vendors.

• Failure to change passwords regularly

Password security is at risk if you fail to change your passwords. A survey revealed that 53 percent of end-users have not changed their passwords for the past 12 months despite being aware of the dangers. Six out of ten respondents said they rarely change their passwords over time. Funny enough, 15% of respondents said they would prefer to do a chore at home, and 11% would rather drive than change their passwords.

NIST suggests that organizations use the well-known practice of changing passwords frequently, but only sparingly. Shorter periods for changing passwords are justified by the human tendency to choose a sequence of passwords or patterns that will make it easier to remember complex passwords. According to the Payment Card Industry Data Security Standard, (PCI DSS), passwords should expire after 90 days.

• Use names of people, places, and pets

End-users should not use passwords that include the names of pets, people, dates of birth, or addresses. Hackers can find personal information online and use it to guess login credentials. Even minor variations in these names will not guarantee reliable password security.

Password Security End-User Guidelines

Neglecting to secure passwords can pose huge cybersecurity risks, and it can also undermine the overall cybersecurity posture of an individual or company.

• Password length and composition

Secure passwords should have at least eight characters, including numbers (0-9), special characters, and upper- and lowercase alphabetic characters (A–Z, a–z). According to NIST Special Publication 800-63B, “Memorized secret MUST be at least 8 characters long if the subscriber chooses.” NIST recommends that passwords not exceeding 64 characters be printed ASCII characters.

• Use a Password Manager

Only 24% of end-users have a password manager. However, many users admit that they need a way to keep track of passwords. Individuals and organizations must have the right tools for password management to ensure best password practices. End-users should ensure that the password manager uses strong encryption, and requires authentication before they grant access. A master password should be used by a password manager. If possible, two-factor authentication should be used.

• Multifactor authentication is recommended

Microsoft claims that a multifactor security feature for user accounts blocks 99.9% of all attacks. Security teams don’t have statistics about MFA bypass attempts at the moment because they are rare. NIST Special Publication 800-63B recommends that multifactor authenticators require two factors to perform a single authentication event. MFA solutions that provide additional protection include a combination of several of the following:

1. What you know Passwords, PIN, and code words
2. What you have Keys, smartphones, smartcards, token devices, and USB drives
3. You are – voice recognition, fingerprints, palm scans, and voice recognition, retina scans and iris scans, facial identification, and more

• As a Password, use a long and random multi-word phrase

End-users should not use a sequence of words from a standard dictionary. End-users should instead use passphrases that combine a series of words with numeric or symbolic characters. Passphrases such as a favorite line or lyrics with special and/or numerical characters are simple to remember and difficult for attackers to crack. The use of blank spaces within multi-word phrases increases password security.

The National Cyber Security Center (UK) recommends three random, but memorable passwords to lower the chance of cybercriminals compromising an account. “Using difficult-to-guess passwords can be a strong first step. We recommend that you combine three random, but memorable words,” says Ian Levy (NCSC Technical Director). Use words that are memorable to you and be creative so people don’t know your password.

• Don’t share your password

LastPass’ survey found that password sharing is common with 95 percent of respondents admitting sharing six passwords on average with others. Users share passwords with their spouses and children. The study found that 76% of people share their login credentials.

Shared passwords are often shared by end-users for good reasons. It allows multiple people to access an account. Employees may leave passwords on sticky notes underneath keyboards to allow their co-workers to log in to their accounts in an emergency. Managers can also share login details to delegate tasks to employees. LastPass found that 61% of employees prefer a corporate password to a personal one.

Wi-Fi, movie streaming, and financial accounts are the most common passwords shared. Email and communication, social media, and work-related passwords are also popular. Seventy-three percent of users will not resent their passwords after sharing them.

Reusing passwords can increase the risk of a stolen password affecting your business. Do not share passwords with colleagues, friends, or family members. Although well-intentioned, password sharing can pose a significant security risk to systems and confidential data.

• Do not write your login details down on paper!

End-users are advised to not keep passwords insecure places and to avoid writing them down. Sometimes it may be acceptable to write down the password on paper to make it accessible to all who are authorized to access the system. End-users shouldn’t use this approach if there are no outsiders in the home or office. Users should also hide sticky notes with passwords. CNET recommends that users keep the sheet in a safe location, such as a locked drawer or cabinet on their desk, and out of sight.

• Avoid Automatic Logon

End-users can save time by remembering multiple login credentials and storing them in browsers so they can log in automatically. This seemingly simple shortcut can be exploited by hackers. Automatic login functionality can be used on websites and applications to negate the importance of using a password. A malicious actor can gain physical access to a device that has automatic logins configured and easily compromise it, allowing them to access sensitive information.

It may seem like a good idea not to type individual passwords each time an end-user accesses an account. However, this is almost the same as unlocking the front door of a house and leaving it open.

• Password Hints to Proscribe

Online accounts and sites use password hints to aid end-users in remembering their login credentials. This can compromise password security. Users are expected to provide clues that make it easier for malicious cyber-agents to find the password. NIST has effectively banned knowledge-based authentication questions such as “What street did you grow” which hackers can easily find online.

• Use a Password Blacklist

Hackers can easily crack user-generated passwords using sophisticated password hacking tools. End-users have the option to reduce their vulnerability by comparing their login credentials with a compromised list. The NCSC publishes the top 100,000 most compromised passwords so that users don’t have to sign up for online sites. A third-party password filtering service provides a comprehensive list that includes billions of passwords that have been compromised. Vendors offer tools that scan Active Directory to identify accounts with weak or blacklisted passwords.

To find out if your passwords have been compromised by hackers, you can monitor them. Mozilla’s Firefox Monitor, and Google’s Password Checkup can show users which email addresses and login information have been compromised by hackers in a cyber attack.

End-users are still not practicing better password hygiene, which is clear. It is crucial to protect passwords, as security experts have found that 80 percent of hacking-related incidents are linked to misused or stolen credentials. This guideline is intended to encourage individuals and businesses to be more vigilant about password security to reduce cyber risk.