Most of us have been guilty of using the same password to secure multiple accounts. Though the risk of password compromise is well known, it can be a challenge to memorize dozens of complicated, unique credentials – a set of unique identifiers such as a username and password – across multiple accounts.
Unfortunately, cybercriminals are well aware of that fact, which makes passwords a considerable weak link in an organization’s security approach. A 2023 report on data breaches found 49% of reported breaches by external actors involved the use of stolen credentials†.
In this article, Huntington’s Identity Access Management team details best practices for creating strong passwords, keeping credentials safe, and helping prevent breaches related to stolen passwords.
How threat actors steal passwords
Cybercriminals steal accounts, financial information, and sensitive data because they can profit from using or selling this information. Targeting passwords is an easy way to gain access.
“Passwords are your first layer of defense against malicious access to your information. If someone at your organization is reusing passwords and a cybercriminal were to gain access to it, your entire organization could be exposed,” says Todd Piche, Information Security Manager at Huntington.
There are several common techniques threat actors use to steal to passwords:
- Exploiting human error or gaining their victim’s trust through social engineering.
- Guessing answers to security questions with information shared through social media.
- Identifying passwords that are routinely reused across multiple accounts.
- Using password recovery toolkit (PRTK) software that automatically uses familiar words in password fields, including substituting characters for letters (e.g., p@$$w0rd).
Building better defenses in the form of strong password choices and protection can help keep organizations safe.
Tips for creating a strong password policy
Every organization should have set requirements for passwords to ensure they are secure, unique, and complex enough. No matter which accounts they protect, every password used at your organization should be created with these guiding principles:
- Complex – Use a passphrase (a string of words) with a minimum of 8 characters, both upper and lowercase letters, numbers, and non-alphanumeric characters (~!@#$%^&*_-+=`|\(){}[]:;"'& <>,.?/)
- Unpredictable – Avoid using obvious adjacent key patterns or movements (e.g., qwerty, fdsf)
- Unique – Never reuse passwords or use the same word or phrase for all accounts.
- Exclusive – Never use work credentials for personal accounts.
- Secure – Do not save passwords in web browsers, applications, shared drives, or network files.
Use these principles to develop or update your organization’s password policy. Be sure to enforce this policy and regularly communicate about it with employees.
Implement Multi-Factor Authentication (MFA)
Multi-factor authentication (MFA), also known as two-factor authentication, requires users to provide more than one verification type to access an account. Using MFA across all apps, services, and sites used at your organization is highly recommended to add an extra layer of security.
To gain unauthorized access to an account secured with MFA, a bad actor would need to have access to a user’s mobile device and know their username and password. This added verification is so secure that Microsoft found accounts with MFA were 99.9% less likely to be compromised‡.
MFA verification include any combination of the following:
- Something you know, like a password.
- Something you have, such as a hard token, security key, or smartcard.
- Something you are, meaning a biometric like TouchID or FaceID.
Always have a backup option whenever possible in case your primary option for MFA is not available or is lost.
Consider using a password manager
No matter how dedicated you are to password security, remembering dozens of unique passwords is next to impossible. Instead, consider investing in a tool that can take this on at your organization.
A password manager is a product that allows you to generate and securely store passwords by using a master password and MFA. This tool works across all devices and operating systems and encrypts stored passwords to keep them secure. Employees only need to remember one complex password to gain access to a portal with all their credentials in a central location.
There are many password managers on the market that offer various advantages. Keep in mind that this tool is also at risk of being hacked, so it is important to choose a reliable option.
When considering which password manager is right for your organization, look for one that:
- Uses multi-factor authentication.
- Alerts you when a password has potentially been compromised.
- Includes password generation capabilities to make it easier for employees to adhere to password requirements.
Five password security best practices
In addition to enforcing strict password requirements and implementing tools such as a password manager, there are a few other ways your organization can help avoid breaches related to stolen credentials.
- Create a strong culture of security by implementing routine cybersecurity awareness training for all employees, regardless of their role’s access to company systems.
- Require employees to update passwords regularly, regardless of whether they are used in a password manager or protected by an additional MFA check.
- Remain vigilant against phishing attacks and train employees on how to recognize suspicious emails attempting to get them to reveal sensitive information.
- Review account activity where possible and report any suspicious activity. For example, if you receive a prompt to complete an MFA activity you did not initiate, change your password immediately.
- Stay on top of software and device vulnerabilities. Running older versions of software and operating systems opens you up to vulnerabilities that could compromise sensitive data – like your passwords.
By implementing a strong password policy, offering awareness training, and using additional authentication methods, you can help protect your organization and its employees. Huntington can support you with the insights, resources, and expertise you need to help keep your organization safe. Contact your relationship manager to start the conversation.
