Password security is one of the hottest, longest-standing topics in today's world of digital security, and it's no wonder: These single, self-contained words and phrases give users access to a wide breadth of info, powerful systems and functions that enterprise employees need in their daily jobs. Of course, all that power makes them points of intense interest for black-hat attackers and more civic-minded security researchers, albeit for very different reasons.
While different technological advancements (biometric thumb and eye scanners, wearable secondary gadgets like Android Wear, etc.) have threatened to overtake the password in recent years, none have surpassed it as the standard means of authentication. For better or worse, we're likely stuck with passwords for a while — so keeping them secure on both the provider and user ends is your best bet.
Passwords are points of entry. Wherever there is one, there's more than likely someone trying to figure it out for illicit means. In your enterprise, that could indicate any number of things: An employee trying to access admin accounts to make unauthorized changes, for instance, or an outside attacker looking for personal data to steal and sell.
Furthermore, while common sense tells us it takes access to a high-level account to do high-level damage, that's frequently not the case. Gaining unauthorized access into a given system is often a game of guesswork. Information discovered in the least privileged user's account might be what an attacker needs to gain access to an admin's credentials.
Then there's the stuff that comes after the attack. While you can't always guess what unauthorized visitors do with their access, it's almost always unsavory — info that could damage a business's standing or ability to negotiate, for example.
To sum all this up, password security is critical and requires dedication. Here are three things providers and users can do to ensure stronger password security:
1. Require complex passwords. The longer and more complex the password, the better. On the admin side, this can mean any number of things. You might require numbers, special characters, caps and lowercase letters. You could also tell users to make longer passwords or even turn whole sentences into phrases. Some administrators even give users options: Those who prefer shorter passwords might have to change their codes every 30 days, for example, while those using passphrases can wait 60 or 90 days instead. Two-factor authentication plays a role here as well: By requiring users to authenticate themselves beyond a simple password, you make things much more difficult for hackers — even talented ones.
2. Use complex passwords. Users, of course, are strongly advised not to use common passwords, like those including dates of birth or easily guessed words (such as "password"). Random strings of words, broken up by equally random numbers and special characters, are advisable; more security-minded users and those who work in fields with sensitive information may even want to consider a password manager such as KeePass.
3. Practice smart management. Passwords should never be stored in plain text on the admin's side. At the very least, use strong encryption and obfuscation methods to ensure intruders don't have easy access to users' log-in credentials. Even though they shouldn't, users often employ weak passwords and even keep the same passwords across multiple crucial sites, making the overall headache level even larger in the event of a leak.
The best password management, however, involves not keeping passwords server-side at all. Password hashing and salting, a method in which "hashes" are generated and verified in such a way that password info is never kept on the provider's end, ensures attackers never have access to those sweet, sweet tables. That's something your users and security staff will greatly appreciate.
Hashing and salting should be implemented using code developed by experienced security experts. Doing it internally is a hairy proposition, and leaving the development to a certified expert is just another facet of practicing smart password security.
Smart password use and administration is only one part of an overall security-focused mindset, but it's a huge one. Whether you're a user, a developer or both, treating password security as the hugely important issue that it is helps keep your system safe. If you're looking for more info, this Ars Technica article is an excellent place to start. Or, reach out to a trusted third-party security expert — after all, it's what they do!
Photo Source: Flickr