In honor of World Password Day on May 6th, we wanted to share some key background and behaviors on passwords. Passwords are often one of the most painful and confusing security behaviors we teach people, and yet passwords are also often one of the greatest risks to most organizations. Passwords (also commonly called credentials) have become one of the primary targets of cyber attackers, especially attackers with more advanced skill sets or those who are attempting to persist long-term in a target organization’s environment. TTPs (Tactics, Techniques and Procedures) is a taxonomy defining the common behaviors of cyber attackers when targeting and hacking into and persisting within an organization’s environment. A variety of reports, data, and statistics in the past 18 months have demonstrated a shift in how threat actor TTPs have changed, from a focus on malware to a focus on passwords. Phishing used to be a means to infect a computer, now phishing and social engineering related attacks have become the means to gain valid passwords.
The reason for this change in TTPs is it is much harder for security teams to detect an intruder if that intruder is using valid credentials to pivot and traverse through an organization’s systems and data. The term is called ‘living off the land’ and implies a cyber attacker is using the same valid tools and credentials that authorized individuals use, so the cyber attacker’s activities blend in with and appear to be legitimate. This is why passwords have become one of the primary targets and why stolen or compromised credentials have become one of the top risks for organizations.
The Key Lessons for Passwords We Recommend You Focus On
In many ways, the goal of your password training should focus on making passwords as simple as possible. In addition, a great deal has changed in the past five years on best practices for passwords, to include password complexity being replaced with password length and discontinuing the policy and use of password expiration. One of the most effective ways to simplify passwords in your organization could begin with a review and update of your organization’s security policies and procedures concerning passwords.
- Passphrases: Replace password complexity with password length whenever possible, teach people the concept of passphrases. Passphrases can be sentences or a series of random words that create long passwords that are both easier to remember and type.
- Unique: Emphasize and train on the importance of each and every account (both work and personal) having a unique password for that account. This ensures that if one account is compromised, all other accounts are still secure.
- Password Managers: If possible, encourage the use of password managers. Managing a long, unique password for each account is difficult for people, as many people can have over 100 passwords. The simpler we make a behavior, the more likely people will exhibit it. If your organization prohibits the use of password managers, keep in mind that people will still likely write their passwords down or use something like Google Docs or spreadsheets to manage all of their passwords.
- MFA: Whenever possible, people should enable Multi-factor Authentication (commonly called Two-Factor Authentication or Two-Step Verification) for their work and personal accounts.
Strong, secure passwords are key to helping reduce risk to your organization and for people to protect themselves at home. However, in the past, security policies have traditionally made passwords both confusing and difficult. The simpler we can make strong passwords for people, the more likely they will use them, and the more we all benefit. To help your organization and employees create a secure work-from-home environment, we put together a free toolkit that covers step-by-step guides, quick tips, and videos for individuals and their families. Now more than ever we need to equip our remote workforce with the right tools to defend themselves, and as a result, the organization as a whole, against evolving cybersecurity threats.