There’s a well-worn phrase, often mis-attributed to Winston Churchill, that goes: “Democracy is the worst form of government … except for all the others.”

When it comes to IT security we could say the same for passwords. They’ve been proven time and again to be a major security risk for users and organizations. Yet thanks to their inherent usability, passwords remain the only viable option for many people, despite these shortcomings.

If even security experts like Troy Hunt are claiming that they’re here to stay, the focus should be on how to best manage the password problem securely. But new research shows that firms are failing to keep pace with recommended US government guidelines.

Security vs usability

There are two sides to every coin, and so it is with mitigating cyber risk. On the one hand is tighter security controls and on the other – usability. When it comes to protecting accounts, the most usable option is having no protection at all – which is also the least secure.

On the other hand, if IT applies over-rigorous security controls it risks impacting users to the point that they try to find less secure workarounds. This included sharing passwords across accounts, writing their passwords down, and choosing easy-to-guess log-ins.

Back to square one

The truth is that there are now several other ways to protect employee and customer accounts. Multi-factor authentication (MFA) requires a second “factor” such as a passcode sent by SMS to the user, or a biometric like a fingerprint or face scan, for example. But these won’t work for every user.

IT departments may be able to enforce them for employees which have high-value “privileged” accounts. But they may hit resistance if they try to do so for the entire company, and certainly will have problems winning over customers.

All roads always lead back to passwords.

Why do passwords matter?

In a business context, many major data breaches begin with a simple phishing attack designed to steal an employee’s account passwords. From there the hackers pivot to sensitive data stores.

It’s what enabled Chinese hackers to raid the Office of Personnel Management (OPM) and steal personal info on over 22 million federal employees, for example. According to Verizon, a third (32%) of breaches are linked to phishing attacks.

Customers in the firing line

Passwords also expose customers to phishing attacks designed to take over their accounts. Hackers either raid them for sensitive identity data – which can be sold on to fraudsters – or sell the account access itself online: for example, working Netflix log-ins could be sold to offer the buyer free streaming services.

It’s not just phishing that poses a risk. Credential stuffing is a technique increasingly favored by hackers. They use large volumes of stolen password/username data sold on the dark web and feed it into automated bots which try those log-ins on multiple other sites, hoping that the individual reuses them across several accounts.

Many do, allowing the bad guys to crack open other accounts – sometimes enterprise-related ones such as corporate email or accounting software.

One vendor detected nearly 28 billion credential stuffing attempts between May and December 2018 alone.

What are firms doing wrong?

New research has revealed a litany of mistakes firms are making when it comes to password management. These include:

  • A third of US firms require users to change their passwords too frequently. The official NIST advice now places less emphasis on this and more on using long credentials with special characters
  • Only a third check passwords against commonly used log-ins, and even fewer check “rainbow tables” (15%) and complexity algorithms (24%) which are able to see how easy they are for hackers to crack using special software
  • US firms on average have 67 apps that require individual passwords, complicating matters further for users
  • 38% of US firms have at least one app that allows shared log-ins
  • Too many apps requiring passwords means extra admin time for IT: in the US, a quarter (26%) of firms spend between 6-20 hours each week on password resets

What’s the impact on my firm?

By failing to manage and secure the use of passwords among employees and customers, organizations risk:

  • Major data breaches
  • Individual customer accounts being taken over by hackers
  • Regulatory fines
  • Brand damage
  • Legal costs, if customers take the firm to court
  • Costs associated with incident remediation and response
  • Declining share price
  • Lost customers

How do I manage passwords more securely?

The good news is that best practices in password security need not be too onerous or expensive. Where possible, try to give external customers the same options to make their accounts more secure.

Here are a few tips to get you started:

  • Train employees with NIST guidelines for strong, memorable passwords
  • Mandate the use of a password manager for employees. These will help create and store strong, unique passwords for each app/account and work across desktop/mobile environments
  • Enforce the use of MFA for privileged accounts. Consider risk-based systems which only request a second factor if the log-in seems suspicious
  • Single Sign-On (SSO) enables users to log-in to multiple apps with a single password
  • Limit the number of privileged accounts in the organization, and reduce privileges all-around, assigning them to only specific roles and users
  • Ensure any departing employees have their passwords canceled (deprovisioned) as soon as they have left the organization
  • Never store passwords in plain text. Always ensure they’re protected with strong encryption
  • Train employees/customers in good password management, including never logging in to sensitive accounts on public wifi or shared computers
  • Run phishing awareness training for staff
  • Ensure you run AV from a trusted vendor on all computers so hackers can’t download snooping software to steal log-ins