In this interview with Help Net Security, Lori Österholm, CTO at Specops Software, explains what makes passwords vulnerable and suggests some password best practices and policies organizations should implement to keep their systems secure.
There’s cutting edge technology available in the marketplace, so why are businesses still dealing with bad passwords?
The bottom line is that humans are fallible. We rely on end users to make smart choices when selecting passwords but know that even with the password management technology available, end users don’t always make choices that are secure. In fact, 65% of end users re-use their passwords, and over 52% of respondents to our recent survey share their streaming site passwords with other people.
End users default to passwords that are easy to remember, often only changing a few characters with each password update. It’s important to help end users be more secure with technology options that have low barriers of entry — this way the adoption rates of something like a password manager, or password policy compliance, are higher and the tools are actually implemented.
As far as a passwordless future, even with the biometric capabilities we’re seeing now there are still backups that require an old-fashioned login — there is no easy way to reset a fingerprint or an eyeball, after all.
Your recent report looked at real world attack data. How vulnerable are today’s passwords?
The 2022 Weak Password report certainly proved that end users are human and not password-generating machines. Our research team, who typically works on collecting compromised passwords for our Breached Password Protection service, did a great job pulling this data together. Using the findings from proprietary surveys and over 800 million breached passwords, we found interesting trends among password use, including that traditional password construction best practices are no longer enough to protect accounts and keep data secure.
For example, 41% of passwords used in attacks are 12 characters or longer and 68% include at least two character types – reflective of the fact that attackers know what the complex recommendations are and are adapting to that.
In short, your organization should definitely be taking precautions beyond complexity by blocking the use of known breached passwords, creating strict password policies, and implementing custom dictionaries in your Active Directory to prevent the use of commonly found words like your company’s name or location. Here are a few more password policy best practices we rely on at Specops.
What are the most dangerous passwords to use in 2022? What’s common these days?
In our recent data there were several concerning trends in passwords including the use of leetspeak, pop culture references like Star Wars or sports teams, and of course the Nvidia LAPSUS$ hack showed a lot of end-users with Nvidia-branded terms in their passwords, which make a targeted attack much easier.
Anything that’s easily guessed by a computer, like common keystrokes (i.e., qwerty) or username recreations are always going to be dangerous in your organization.
To keep things simple, we recommend a random word passphrase that’s longer than 16 characters and doesn’t contain any personal information, breached passwords, or company information.
How do businesses deal with password resets? How can Specops Software help?
Active Directory password resets and account lockouts are a burden on IT departments everywhere. One Gartner stat, even from pre-pandemic times, saw that 40% of all helpdesk calls are password-related. In this hybrid-remote workplace that’s so prevalent now, that number has bound to increase thanks to less domain-joined devices. A self-service password reset solution enables employees to reset their forgotten Windows passwords and manage account lockouts without calling the helpdesk.
For IT departments, there are many benefits with using a self-service password reset solution beyond self-service. Whether it’s email or on-screen password notification reminders to encourage users to change passwords before they expire, or the ability to update the locally cached credentials for remote workers, it ultimately means spending less resources on password-related issues.
For users, it’s about convenience. A self-service password reset solution means availability and access, no matter the time, location, or device.
Our Specops uReset SSPR solution is a great option for teams looking to implement a secure password reset solution with minimal friction for end-users and the IT department. Specops uReset enables users to securely reset their Active Directory passwords, from anywhere, using any device. It includes security features like multi-factor authentication and geo-blocking to ensure a high level of security. We’ve worked hard to ensure seamless integration with our clients’ existing ID services like Duo/Okta/Ping and more.
What advice would you give to organizations that want to strengthen their password policies?
Good end user passwords begin with a well-enforced password policy. Once you identify your areas for improvement, you should make the following changes to strengthen your password policy:
- Your policy should block common passwords that are susceptible to attacks.
- Your policy should require a minimum number of changed characters to prevent those “I’ll switch the 1 to a 12 this time” password changes.
- Your policy should enforce passphrases which are easier to remember to reduce helpdesk calls.
It’s best to keep your policy easy-to-adopt by using dynamic feedback at password change so end-users can see exactly what’s wrong with their passwords when it’s not accepted.
You could also use a tool like Specops Password Policy which makes creating and implementing compliant and secure password policies simple.