Here are 10 quick tips to employ today for strong password security.
Account Lockout-Remember to lock accounts after a certain amount of password attempts are made. Try to aim for 5-10 attempts before activating the account lockout.
Check Password Strength-Many organizations offer tools for this.
LONG Password Length-We recommend making long passwords over complex ones, with at least 12 or 16 characters in length. 12 characters give you over three sextillion possible character combinations.
Use Single Sign-On (SSO) or Password Manager Applications-SSOs connect your business’s various systems and applications so you only need to remember one password. Popular SSO applications include LastPass, Keeper Business, and OneLogin.
Check for Plain-text-Plain-text passwords make it easy for traffic interception attacks; do a periodic check for plain-text passwords in your employee files.
Implement multi-factor authentication (MFA)-MFAs only grant access to an application after you showcase two or more pieces of evidence as to the correct user.
Salt and Hash passwords-Add random string of text to each password before hashing it. Using a password management tool makes this easy.
Use Alphanumeric Passwords-(Uppercase and lowercase) with numeric characters and special symbols.
Password Hints -Make sure the hint information isn’t easily accessible with a quick social profile hunt.
Keep Passwords Private-Don't share passwords with anyone, including IT staff.
Protect Against Specific Password Security Attacks
Conduct phishing tests with your managed service provider (MSP). Findings tend to be very eye-opening regarding the number of employees who click unknown links or share login details.
Brute Force Attacks
The recommended password length of at least 12-16 characters and passwords must not be dictionary words or commonly used phrases, which are easy to guess.
You can limit logins to a business’s specified IP address or range, which is a geolocation restriction. Remember though, remote workers' access may be hurt by geolocation restrictions.
You should restrict the amount of time allowed between attempts. This drastically increases the time it takes to break in via brute force, sometimes the difference between days and years.
Make sure to encrypt data using current standards and the latest versions of transport layer security (TLS) and secure socket layer (SSL) for emails and other logins.
Protecting against social engineering attacks can be difficult since they can occur in person without you or employees even realizing it.
Outside of doing your best to verify the credentials of someone in an email, on the phone, or in person, one of the best things you can do is to educate your staff on the subject.
Your organization should implement an internal IT reset policy to verify the identity of IT admins requesting a password reset. This ensures that you’re actually resetting verified user accounts and not giving access to a cyber-criminal. Remember, never reveal passwords or log-in credentials to anyone outside of your organization.
Man in the Middle (MITM)
An easy way to counter MITM attacks is to make sure you’re using up-to-date SSL and TLS software. Having strong encryptions on your access points will also mitigate the risk of this attack.
When you or your employees are working remotely, use a virtual private network (VPN). This creates a secure environment for private data from which you can access your local area network.
Most anti-virus software mitigates the risk of keylogger attacks nowadays, but you can also use specially designed anti-keylogger software like SpyShelter.
Questions? Visit us at: www.commprise.com