Passwords are one of the top challenges and causes of cyber fatigue for employees. As we move more of our business and lives online the number of credentials needed to protect our identities continues to grow. Unfortunately, a single password is sometimes the only security control preventing cybercriminals from gaining access to our sensitive information. To protect our organizations and our users, we need to help empower employees by enabling and rewarding them with password security that is usable and works in the background.
Many organizations are experiencing digital transformation and cloud migration. That means the traditional cybersecurity perimeter no longer applies. Identity management is the new perimeter and access is the new security. Passwords are critical to the protection of our digital assets.
What's the difference between a password and a privileged password?
I am often asked to clarify the difference between a password, a passphrase, a privileged password, and a Secret. In brief, these security controls are simply all types of secrets. And anything typically placed before ‘password’, such as ‘privileged’, ‘user’, or ‘application’ is what the password is being used to protect.
So, let’s get back to basics with Privileged Password Management 101
First, what is a password?
A password is also commonly known as a Secret, a passphrase, or if only numeric—a PIN. A memorized secret authenticator is a secret value intended to be chosen and memorized by the user. Memorized secrets need to be sufficiently complex and secret to ensure that an attacker will not be able to guess or otherwise discover the correct secret value. A memorized secret is something you know personally as a user.
Please, use 2-Factor Authentication (2FA) or Multi-Factor Authentication (MFA)
The password is a single-factor of authentication. The type of account or information the password is protecting determines whether you should add additional authentication security controls.
If the account is protecting and securing financial information, administrator access, or very sensitive information, then stronger security controls such as two-factor authentication or multi-factor authentication should be added. These must be used in conjunction with the password to gain access, especially 2FA for email or privileged accounts. It’s important that you recognize not all 2FA and MFA are equal. Some have stronger security controls to make it more difficult for attackers to crack. Always consider what is it you are protecting and apply the security control most appropriate for reducing the risk of compromise.
Password strength and length are important
What is a strong password, and is password length important? The strength of a password stems from how easily an attacker can guess your password using brute force or cracking techniques.
People think the rarity of a word or phrase will be enough to protect them
It’s typical for people to use passwords they can easily remember by choosing some unusual dictionary word or topic of interest. They think that the rarity of the word or phrase will be enough to protect them. However, cybercriminals use techniques that make guessing these types of passwords easy. So, when creating a password, make it something unique—preferably a combination of multiple words—and it must always be something that only you know, and no one can easily guess. You can further strengthen your Secret by adding random spaces between words.
When considering the length of your password, keep in mind that mathematical algorithms are stronger when your password exceeds eight characters and even better when it is longer than 16 characters. Going to these lengths makes your passwords that much stronger and harder to crack.
Password managers boost security and help avoid cyber fatigue
If you have many accounts and passwords, opting to use password manager software makes securing and managing your accounts far easier and safer. A password manager helps track the age of each password, lets you know what additional security controls have been applied, and helps generate complex passwords for all your accounts so you won’t have to type or remember them. You only need to remember one strong password to access your password manager and it will automatically generate strong passwords for you as you access various accounts.
Remember: when using a password manager, password best practices still apply
This means creating a password manager password that’s super strong. You can use passphrases, which are a combination of words and only a few special characters like ?%&@!). A long, strong passphrase combined with 2FA is tough to compromise and makes life for cybercriminals far more difficult.
While password managers are excellent tools for protecting individual users, organizations must look beyond password managers and consider privileged access security. Privileged Access Management platforms include password manager features but go beyond password manager capabilities to further protect both human and non-human privileged accounts. See the use of PAM solutions at the end of this blog.