*7 tips to enhance your password security
In security terms passwords are considered a relatively primitive method of ensuring the protection of our most sensitive data. In fact researchers at Trustwave SpiderLabs found that weak passwords are attributed to roughly one third of data breaches.
Despite this fact, many businesses continue to default to easily crackable passwords that are inherently vulnerable.
Enhancing password security is important even if individual employees don’t have access to sensitive data. According to IT security consultant , Garret Picchioni from Trustwave SpiderLabs, “An attacker doesn’t need to crack everyone’s passwords. It only takes one to get that initial foothold into the environment, and from there an attacker can pivot to data that actually matters. End-users will typically think they don’t have access to anything sensitive so it doesn’t matter if their account gets compromised. This, in theory, is true. However, it gives an attacker the opportunity to migrate to a system that does have the information they’re seeking”
Trustwave have suggested seven tips to better protect passwords and implement stronger password policies that apply to all employees:
- Add complexity: Passwords with more characters take longer to crack, even more so if they also contain symbols, numbers and a mixture of uppercase and lowercase characters.
- Use passphrases: Surprisingly phrases such as “GoodLuckGuessingThisPassword” are harder to crack but still easy enough for users to remember with the added layer of complexity.
- Change passwords frequently: Passwords should be changed every 60 to 90 days, depending on the sensitivity of the account.
- Salt and hash: A piece of advice for IT administrators – use unique, random “salts” when “hashing” stored passwords, combining a piece of unique, random data with each password before the hash is calculated.
- Implement strong password policies: Apply a custom solution to your password policy. Don’t rely solely on Microsoft’s password complexity policy in Active Directory.
- Audit passwords: Identifying the weak security links will mean conducting password audits that incorporate the non-tech-savvy users, who are often considered soft targets for attackers.
- Consider two-factor authentication: This requires a second form of verification and acts as another layer of defense when passwords are comprised.