Password security is a major concern for companies, and one of the biggest challenges is getting employees to use better password hygiene. To shore up security, you need to find practices that your employees will actually use. To make it easier, consider sharing these five recommendations to help them find the right security practices for any given situation: 1) use a throwaway password, 2) use a password phrase, 3) use a password phrase that utilizes a pattern, 4) use a password phrase with two-factor authentication, 5) use password manager software with two-factor authentication.
“Use a strong password” is the “wear sunscreen” of the digital world: Everyone knows it’s good advice, but too few people actually follow it. Instead, they lean on go-to passwords that are easy to remember, throwing in that “!” at the end of their secret word or slotting “@” in place of the letter “a.” (It’s not for nothing that “P@ssword!” is the most popular password.) None of this, of course, diminishes the stakes of a breach for most companies. The uncomfortable truth is that password security remains a common and underestimated concern. And for companies, one of the biggest challenges in shoring up their security is getting employees to practice better password hygiene.
The problem here is that human nature is complicated. It’s not just that users don’t want to expend precious cognitive energy on remembering unique and complex passwords for every account. Often, they’re trying to avoid the feelings of frustration that accompany their failure to easily recall the information. Simple and familiar passwords will always trump complex and more secure ones. Sadly, the human factor of password security boils down to what’s easy rather than what’s secure. May the password gods forgive us.
We’ve seen how this plays out. Despite knowing the risks of weak passwords, which are vulnerable to brute force attacks, and repeating passwords, people do both over and over again. According to a 2019 Google poll, over 52% of users admit to reusing passwords and approximately 13% admit to using one password across all accounts. Simultaneously, 68% of password users admit they reuse credentials because they fear forgetting them; and 36% do not consider their accounts valuable enough to need more stringent security measures.
So what can companies do? The good news is it’s not a question of choosing between gold standard security or nothing at all. Instead, companies need to find the approach that works best for their people – and that employees will actually follow. Here are five recommendations that managers and IT departments can share with employees and teams to help them find – and use – the right level of protection for any situation.
The Throwaway Password
A throwaway password is one that is utilized with a throwaway email address. If you’ve ever created a burner email address to use a free trial, the idea is much the same. These single-use accounts are particularly useful if you know you’re going to be immediately subscribed to an endless barrage of unappreciated sales emails for the rest of that account’s lifetime (“unsubscribe” buttons be damned). The unimportant passwords for these trivial accounts provide protection in their insignificance. If (when) these passwords are stolen or these accounts are hacked, no critical information or passwords are lost. This theft will not put any critical accounts or passwords at risk.
For these accounts, you could actually use a password as simple as a word, a few letters, and a special character. For example: Frodo123! But never use this password again with any other email account. Reusing a simple password across multiple platforms can be the kiss of death.
A Password Phrase
Four- or five-character passwords, regardless of the combination of numbers, letters, or symbols, are similarly vulnerable. That’s why experts now recommend at least a 12-character password. The problem is that no one likes to remember a bunch of long, complicated passwords. Here’s where password phrases come in.
A password phrase is longer in length than a simple one-word password but easy to remember. Most of us should be using password phrases instead of words to increase character length, but they should not be something as simple as song lyrics (professional hackers have been on to this ploy for years). Using “everybreathyoutake,” “oopsididitagain,” or “igottafeeling” is practically asking to be hacked. Here’s a better example, which might be more applicable for you Gen Xers: In1984VanH@lenRock$! Although these passwords are not the gold standard of good password management, they are useful for those who will not regularly use good password hygiene outlined in the higher levels of online protection.
A Password Phrase That Utilizes A Pattern
This is a password that can be incorporated across different platforms, but is just different enough to allow for that password not to be used twice. For example, if you have various social media accounts, you could use a word with a color (and unique number/character pattern) across those accounts. For example: Instagram – urRED!@7am&8pm, Facebook – urWHITE!@7am&8pm, LinkedIn – urBLUE!@7am&8pm.
A word of caution: I have worked in organizations that have demanded passwords be changed every 90 days. In this case, I have seen individuals use the four seasons to align with the required update times. For example: “Spring2023!,” “Summer2023!,” “Fall2023!,” “Winter2023!.” Again, a professional hacker will be able to crack this code in under a minute. Use a combination that is specific to you – and only you (and stop using “!” so much – try using “+” or another less-common symbol).
A Password Phrase With Two-Factor Authentication
Two-factor authentication is recommended for more sensitive login accounts, such as with banking information, work emails, and file sharing. This can rely on a confirmation text, email, biometric, or token, whether it’s a physical fob or an authentication system like Google Authenticator. By incorporating two-factor authentication in conjunction with a complex passphrase, you are greatly minimizing your chances of being hacked. While not perfect, two-factor authentication provides the user with something that any security professional will tell you is of value: It makes you that much harder of a target, which usually means your adversary will likely move on to easier victims.
Password Manager Software With Two-Factor Authentication
Knowing that a complex passphrase coupled with two-factor authentication is the best way to secure your login information, the problem remains of memorizing, recording, and/or sharing this information. For this reason, it is recommended that organizations that share login information have employees use a password manager software, such as 1Password or Dashlane.
While still not infallible, a password manager helps employees who might practice poor cyber hygiene prevent data from unintentionally leaking out. It also allows for an immediate lockout of an employee who was recently terminated, without having to waste time on an overall organizational password reset.
Shared accounts pose an inherent risk. The moment you share a password with another person, vulnerabilities increase and so does the likelihood of being hacked. If you’re going to share a password, it needs to be changed at least every 90 days and as soon as anyone with access to the password leaves your organization. Most large public and private organizations mandate this frequency of updating passwords. Just make sure to avoid the easily anticipated formats mentioned above (Spring2023!, Summer2023!, Fall2023!, Winter2023!).
Poor password management has been the leading cause of data breach for more than 10 years. One million passwords are stolen each week. The use of stolen login information is the second–most common method of breach. Eighty-five percent of data breaches prominently involve a personnel component such as phishing, stolen credentials, and human error. These instances of compromised data are often conducted by external actors for financial gain. The 2022 Verizon Data Breach Investigations Report explains that, when targeting businesses and organizations, hostile actors often access networks via weak or stolen passwords – in fact, 82% of security breaches that occur within basic web application attacks are achieved by stealing credentials like passwords.
Companies have to find the most secure approach that employees will actually follow. When setting password security policies, keep this in mind. The best system in the world won’t do you much good if employees end up working against it. So while companies should work to show employees that being secure and using good password hygiene doesn’t have to feel burdensome, they should also try to strike a balance that really works for their employees.
originally posted on hbr.org by Luke Bencie and Sydney Williams
Luke Bencie is the Managing Director of Security Management International. He has worked in over 100 countries for the Department of Defense, the U.S. intelligence community, and over two dozen Fortune 500 companies. He is author of the book The CARVER Target Analysis and Vulnerability Assessment Methodology, as well as Among Enemies: Counter-Espionage for the Business Traveler. He can be reached at email@example.com
Sydney Williams is a Junior Research Associate at Security Management International and a graduate student in International Affairs at American University. She is also a member of the University of South Florida’s Global Security Operations Collaborative (GSOC).