Are frequent password changes the key to managing password security? The CEO of Spycloud, Tim Ross, surprised his audience at a recent conference when he said that frequency of password changes did not matter that much.
He explained that the way most people change passwords contributed to password security problems, no matter how often they changed them. Thus, even periodic forced password changes could not ensure protection. He believed that weak passwords made people vulnerable, even if they changed their password every day.
Here at RedTeam, our cybersecurity experts agree with his assessment. Using complex, long passwords, and the right tools, like a password manager and two-factor authentication, will provide you with much more robust password security than simply changing passwords on a frequent schedule. Take a moment to understand our reasoning in order to protect your computer systems and online accounts against a data breach, malware, and other threats.
While almost everybody knows they should pick a strong password that's tough to guess, most folks make some serious mistakes. First, they really don't choose a new password but some slight variation of a fairly simple one they've used before or even the exact same one they've used before for another system. Since so many passwords have already been leaked, it may not take a sophisticated cybercriminal long at all to guess the changed password
To understand the best suggestions for ensuring password security, it helps to learn why most password breaches happen in the first place. As CSO Magazine pointed out, hackers have already stolen millions upon millions of passwords. Even worse, they have widely distributed them through sales on illegal markets on the dark web. That means that one stolen password could end up in dozens of illicit places.
Even if people change their passwords regularly, they tend to either use similar variations or the same ones multiple times. To back this up, CSO Magazine also cited a recent study from Verizon that found over 80 percent of password breaches stemmed from two sources:
Some sites use security questions for additional verification. Security experts say that even this extra layer won't do a lot of good because it's so easy to find answers to questions like a mother's maiden name or a favorite pet's name on the internet, especially with all of the personal information published on social media.
Thus, even adding extra security questions to frequent password changes won't really provide robust protection. Better solutions include using complex, strong passwords, two-factor authentication, and avoiding the use of compromised credentials. Take a look at these suggestions in the following sections.
It's easy to understand the main objection to creating multiple, complex passwords for every online account and computer system. According to Ross, average people end up creating as many as 200 passwords. They'll be impossible to remember and writing them down on a sticky note isn't a secure, reliable way to manage them. That alone explains why most people tend to reuse simple passwords.
A password manager, like Lastpass, provides an ideal solution. Not only does it provide a secure vault for all credentials, it can also generate the kind of complex, random strings needed to defeat hackers. Since the password manager generates and remembers all of the different passwords, a user only needs to keep track of the one password that they use to access their Lastpass account.
Good password management and security systems can provide some additional benefits too.
See a Couple Examples:
Also called multi-factor authentication or 2FA, two-factor authentication adds an additional barrier to thwart even the most determined cybercriminal. In short, two-factor authentication refers to systems that require users to supply two forms of credentials in order to login. In this case, the credentials are called factors.
In general, multi-factor authentication works like this:
With a password manager, the most vulnerable thing might be the master password for the account. While users can let the computer generate a robust password, that's one thing that the vault doesn't manage.
With Lastpass and similar password managers, users can use 2FA in addition to creating a password. This helps keep the user's account more secure. Not only will they need to supply their user ID and password, they will also need to retrieve a PIN code from their phone.
Of course, people should also consider enabling 2FA on social media, email accounts, Netflix, online banking, and any other systems that they use and add personal or financial information to. Even if a thief manages to steal a device and the passwords, they would need access to the second device to breach the system.
In summary, neither frequent password changes nor even extra security questions can really ensure robust security. Digital thieves have access to millions of stolen credentials and the entire internet to search for personal information. They also employ tools that can help them crack short, simple passwords within seconds. The best strategy includes:
Developing strong passwords only represents one aspect of protecting valuable business information. Criminals may also attempt to steal business assets with social engineering, phishing, or even on-premises attacks.
Typical businesses can't possibly anticipate all of the methods that digital criminals might use to steal valuable information and other assets. That's why prudent organizations call upon us for penetration testing. For a free consultation with our security experts, call 952-836-2770 or schedule a time online. Here at RedTeam Security, our HIPAA penetration testing will uncover security issues and offer the best solutions to fix them.