Just about everything about passwords is inconvenient -- from creating them to remembering them to using them. And we haven't even talked about securing them yet.
According to a recent LastPass survey, 92% of users know password reuse is risky -- but 65% of them do it anyway. Even worse, 45% of respondents said they did not change their passwords after experiencing a breach.
To add insult to injury, security issues involving passwords are becoming more problematic. A ForgeRock report found attacks involving passwords increased 450% from 2019 to 2020.
So, how can security teams make employees follow better password practices and simplify UX, while improving security?
Despite the hype around passwordless authentication and its promise to improve UX and boost security, passwords remain an integral component of identity and access management -- and they aren't going away anytime soon.
In other words, password hygiene still matters. Whether your organization is moving toward password reduction or still juggling tens or hundreds of passwords, there are several tips to help raise the bar on password security.
1. Consider passphrases
The common thought for years was that long, complex and difficult-to-remember passwords -- such as N#JlwB%"+30~Qjok;4=8)F12$R! -- were the best ones. Turns out, a few words strung together as a passphrase can be even stronger. These phrases are also easier to remember, so users are less likely to write them down.
2. Require unique passwords
Whether you're using a password or passphrase, a critical part of password hygiene is using a unique one for every login. You read that correctly: every single one. While it's tempting to reuse a favorite password, it's a huge exposure. If an attacker compromises your password on a shopping site, they then have your login credentials for every site where that password was used. This is especially problematic when employees reuse passwords across personal and corporate accounts.
3. Employ password managers
Having a unique password or passphrase for every login means a lot of passwords. Unless you have a perfect memory, chances are you'll need something to help you remember those complex passwords and passphrases.
But don't think of writing them down on a sticky note or saving them in a file on your desktop. Instead, a password manager can help. These secure applications store all unique passwords and generate new ones as needed. Most password managers can sync across several devices, so users will never be without an important password when they need it. Another great feature is website verification. If you click a phishing link and connect to URB4nk instead of your real bank, the password manager won't auto fill your password.
4. Review cycle frequency
For years, it was recommended passwords be changed every 90 days. And, for some use cases, that's still a good rule of thumb. If you're using single sign-on coupled with multifactor authentication (MFA) at your company, 90 days may be the sweet spot. Companies with passwordless authentication may determine annual password and passphrase changes are enough. In high-sensitivity use cases, 30 or even 15 days could be the right time frame. The most important part is to apply governance practices and work with the business to determine the best password change cycle for the organization.
Where does passwordless fit in?
You might be thinking: "Can't we just retire passwords forever?" Not quite yet. The word passwordless doesn't mean what you may think. The -less is similar to the less in serverless PaaS -- which does, in fact, have servers -- and unlike the phrase meatless lasagna, which you'd assume is vegetarian.
By using alternative authentication factors, such as biometrics -- for example, facial ID and fingerprints -- and other attributes, including device fingerprint and geolocation, companies that adopt a passwordless approach can reduce the number of passwords a user enters on a given day to zero. Mobile device users also benefit from the passwordless approach: press a finger on the reader to unlock the device.
In all these instances, however, there is still a password, phrase or code available as a fallback in case the biometric or attribute-based authentication measure fails. Any attacker with those credentials can still access your device or banking app, no fingerprint required. So, even with so-called passwordless authentication, password hygiene is still important.
5. Use MFA everywhere possible
The last but certainly not least password hygiene tip is enabling and enforcing MFA. If an organization requires MFA and an attacker gets an employee's credentials, the attacker won't have immediate access to the account. Modern MFA is as simple as receiving a one-time passcode on your mobile device or auto filling an OTP from your password manager. Most organizations, such as banks, health systems and service providers, including Microsoft and Google, offer MFA free of charge.