End-User Guidelines for Password Security- End-user password security standards can keep you out of trouble and even save your job and reputation. For authenticating and approving access to internet resources, passwords remain a popular security control. However, if you do not follow adequate end-user password security rules, you are putting yourself in grave danger.
As many possible passwords as there are strong opinions about password security. When it comes to password security, many businesses draw different borders between what is acceptable and what is not. When using password-protected systems, users can follow a number of best practises.
Importance of Password Security
As an authorization method, passwords are used all over the place. Meanwhile, the security landscape continues to change. What businesses consider secure today becomes obsolete and vulnerable the next day. Passwords continue to be a weak link and a source of a variety of cybersecurity flaws.
Phishing attempts are on the rise these days, with the goal of duping users and stealing their passwords. Individuals are targeted by password thieves when they download harmful documents from phishing emails, which have infected tens of millions of people. Hackers also use browser extensions and other malicious programmes to track down login info that gives them access to a victim’s many systems and applications.
Users and system developers must stay informed about password security best practises and trends as a result of these attack tendencies.
Everyday Password Mistakes Users Make
Despite increased security awareness, many users continue to reuse passwords and rarely change them. Despite the fact that 91 percent of end users say they understand the dangers of using the same password for many accounts, a Google-Harris Poll online security poll found that password reuse is still a popular practise. Users are using the same password for multiple accounts in 52% of cases. Only 35% of people use a single password for all of their accounts. Surprisingly, 13% of end-users use the same password across multiple accounts.
Microsoft looked through a database of three billion publicly released credentials to see who was reusing passwords. In the first three months of 2019, 44 million Microsoft customers reused login credentials, according to their analysis. When a third-party service suffers a data breach that results in the loss of users’ credentials, it mistakenly exposes other accounts, even if the person used a complicated password.
Use of Default and Easily Guessable Passwords
Default and easy-to-guess passwords, such as 12345 and admin1234, have recently been used to breach personal and corporate accounts. The top two worst and most popular passwords, according to a recent SplashData Worst Password ranking based on more than five million stolen passwords, were “123456” and “Password.” “Qwerty,” “football,” and “iloveyou” are among the other regular suspects on the list.
End-users are encouraged to avoid utilising vendor-supplied defaults for passwords and other security parameters, according to the Payment Card Industry Data Security Standard (PCI DSS).
Failure to Change Passwords Periodically
Password security is harmed by the failure to change passwords. According to a recent survey, 53% of end-users admit to not updating their passwords in the last 12 months, despite being aware of the hazards. Six out of ten people asked said they rarely update their password over time. Surprisingly, 15% of end users said they would rather conduct a household task than update their passwords, while 11% would rather sit in traffic.
However, as NIST advises, companies should use the commonly used practise of resetting passwords on a limited basis. The human tendency of selecting a password sequence or pattern to relieve the stress of memorising difficult passwords every now and then is the argument against shorter password change periods. Passwords must expire every 90 days, according to the Payment Card Industry Data Security Standard (PCI DSS).
Using Names of People, Places, Pets
Passwords that include people’s names, pets’ names, dates of birth, or addresses should be avoided. Hackers can conduct research on a victim and find personal information about them on the internet, which they can use to guess login data. Even minor modifications of such names do not guarantee secure passwords.
End-User Guidelines for Password Security
Neglecting password security raises significant cybersecurity risks and weakens an organization’s or individual’s overall cybersecurity posture.
Password Length and Composition
A strong password should be at least eight characters long, with upper and lowercase alphabetic characters (A-Z, a-z), numerical characters (0-9), and special characters included. The following is recommended by NIST Special Publication 800-63B: “If the subscriber chooses, memorised secrets MUST be at least eight characters long. In memorised secrets, all printing ASCII characters, as well as the keyboard space, SHOULD be permitted.” NIST also recommends using passwords with a length of up to 64 characters.
Use a Password Manager
Despite the fact that many admit they require an efficient solution to track passwords, only 24% of end-users utilise a password manager. To enforce password best practises, organisations and individuals must have suitable password management systems. End users should look for a password manager that uses strong encryption and needs authentication before allowing access. A master password and, if possible, two-factor authentication should be included in a password manager.
Use a Multifactor Authentication
Microsoft claims that a multifactor security mechanism for user accounts prevents 99.9% of all attacks. Due to the rarity of MFA bypass attempts, security teams do not have statistics on this type of threat. The use of a multifactor authenticator, which requires two factors to conduct a single authentication event, is recommended by NIST Special Publication 800-63B. Some MFA systems that provide an extra layer of security include a combination of two or more of the following features:
- Something you know – passwords, PIN, code words
- Something you have – keys, smartphones, smart cards, token devices, USB drives
- Something you are – fingerprints, palm scans, voice recognition, retina scans, iris scans, facial recognition
As a password, use a long and random multi-word phrase
End-users should refrain from utilising a string of words from a standard dictionary. Instead, end-users should consider employing passphrases made up of a series of words interspersed with numeric and symbolic characters. Passwords like a favourite quote or lyrics containing special and numerical characters are simple to remember for the user but difficult to crack for an attacker. The use of blank spaces in a multi-word phrase also improves password security.
To lessen the chance of cybercriminals penetrating an account, the UK’s National Cyber Security Center (NCSC) recommends using three random yet memorable phrases in a password. “Using difficult-to-guess passwords is a good first step,” says Ian Levy, NCSC Technical Director. “We propose combining three odd but memorable words.” “Be original and use terms that are memorable to you so that no one can guess your password.”
Do Not Share Your Password
According to a poll conducted by LastPass, password sharing is widespread, with 95% of respondents confessing to sharing an average of six passwords with others. Passwords are typically shared with spouses and children, with 76 percent of people sharing their login credentials with their significant other, according to the survey.
End-users appear to have valid motivations for sharing passwords because it allows several people to access the same account. Employees sometimes place passwords on sticky notes under their keyboards so that coworkers may log into their work accounts in the event of an emergency. Managers, likewise, share their login credentials so that they can outsource duties to others. According to a survey conducted by LastPass, 61% of employees would rather share a corporate password than a personal one.
Wi-Fi, movie streaming, financial accounts, email and communication, social networking, work-related, and utility passwords are among the most commonly shared passwords. Seventy-three percent of users are unlikely to resent their password after it has been shared.
Reusing passwords raises the risk of a single stolen password posing a corporate hazard. Passwords should not be shared with anyone, including coworkers, friends, or family members. Well-intentioned password sharing poses a significant security risk to systems and personal data.
Avoid Writing your Login Details Down on Paper
End-users should avoid writing down their passwords or storing them in unsafe places as a general rule. It may be appropriate in some cases to put the password on a piece of paper and make it available to anyone with access to the system or device. End-users should only utilise this method if no outsiders are present in the office or at home. Users should keep sticky notes with passwords hidden if at all possible. End-users should keep the sheet of paper in a secure location out of sight, such as a closed desk drawer or cabinet, according to CNET.
Do Not Use Automatic Logon Feature
End-users make it easier to remember numerous account login passwords by saving them in browsers and logging in automatically. This seemingly safe shortcut, however, creates vulnerabilities that hackers can take advantage of. The advantage of needing a password is negated by using automatic logon capability on websites and applications. A malicious actor who gains physical access to a device with set automatic logins can easily breach the system and acquire access to sensitive data.
Although it may appear to be a smart idea to avoid inputting individual passwords every time an end-user logs into an account, doing so is akin to unlocking a house’s front door and leaving it wide open.
Proscribe Password Hints
Password suggestions are used by websites and online accounts to help end-users remember their login credentials. This method, however, may jeopardise password security. It is common practise for users to leave indications that make determining the password easy for them and harmful cyber actors. NIST has effectively banned the use of knowledge-based authentication questions such as “what street did you grew up on,” which hackers can easily find online.
Use a Password Blacklist
Hackers may undoubtedly utilise modern password hacking tools to easily crack user-generated passwords. Fortunately, end-users can reduce their risk by comparing their login credentials to a list of compromised credentials. The NCSC, for example, offers a list of the top 100,000 most stolen passwords that users should avoid when joining up for online services. Third-party password filtering services provide a more comprehensive list of previously obtained passwords, containing billions of them. Vendors offer tools that check Active Directory for accounts with passwords that are weak or blacklisted.
You can also keep an eye on your passwords to see if they’ve been leaked due to a data breach. In a cyber incident, Mozilla’s Firefox Monitor and Google’s Password Checkup show users which of their email addresses and login data have been hijacked.
End-users, without a doubt, do not appear to be adopting improved password hygiene. Password security is critical because 80 percent of hacking-related breaches are caused by stolen or reused credentials, according to security experts. To reduce cyber threats, this end-user guideline encourages individuals and businesses to take password security more seriously.