Password security and password protection are practices for establishing and verifying identity and restricting access to devices, files, and accounts. They help ensure that only those who can provide a correct password in response to a prompt are given access.
Passwords remain an effective solution for identity-based access control of digital assets when considering cost, security benefits, and ease of use and management.
The average user manages more passwords than ever. Password security systems are used not just to protect data but also to verify and establish identity for personalized features and account access. Stolen credentials are commonly used by cyberattackers to deliver malware. For this reason, it's important to adopt password security best practices, such as multi-factor authentication (MFA).
The application, website, or account (called the "verifier") asks the user (known as the "claimant") to type a string of characters that matches the characters stored with the verifier. Before permitting access, the verifier checks the entered phrase against its list of approved credentials to ensure the phrase and user ID match.
When used properly, password security can be very effective and plays a key role in multi-factor authentication (MFA). However, inattentive user behavior and insufficient protection of credentials by enterprises can be a cause of damaging security breaches.
The first password systems assumed that users would memorize their passwords, which would create a secure form of password management. However, passwords have proliferated in home and work life and have also become more complex. Users have too many passwords to remember and often reuse passwords.
Hackers recognize these weaknesses and use a variety of methods to steal and guess passwords, such as sending spoofing and phishing emails. They can also purchase stolen credentials online.
A password manager is an app that generates complex passwords and stores them in an encrypted format. The advantage of a password manager is that it remembers and autofills passwords and can suggest long, difficult-to-crack random passwords. With a password manager, users don't need to memorize passwords or record them elsewhere, they just need to maintain access to one password account.
The downside of password managers is that all passwords are stored in one place, which could be attractive to cyberattackers. By successfully attacking a password manager, cybercriminals could obtain many passwords during a single breach. In addition, if email passwords are obtained, users can lose access to those accounts.
Nonunique passwords may pose the biggest threat to security. When a password is reused across multiple logins, the hacker who gains access to a single user account will have access to all of that user's accounts.
Passwords that consist of characters such as "1234" or "password" are surprisingly common. Cyberattackers know that users may choose these easy-to-guess passwords and can use this knowledge to easily breach networks and applications.
Users may believe that using information such as names, birth dates, and birthplaces will help them remember passwords. But cybercriminals view this practice as a valuable tool for their exploits. Attackers can often find this personal information on social media or in public records.
The practice of replacing letters with numbers in passwords—such as replacing "E" with "3," for example—is well known. Hackers can use this knowledge to guess passwords.
Using and managing passwords has become a challenge for users as well as IT and security teams. Protection from cyberattacks is only as strong as the weakest link. It's important that users understand the impact of their password security practices.
Requiring users to change passwords on a regular basis is one of the easiest and most effective ways to increase the security of passwords. Enterprise management systems can require users to change passwords on a set schedule. They can also prevent them from reusing passwords or adjusting a few characters to create a new one.
As stewards of credentials for users, verifiers must store passwords in the most secure way possible. One strategy is to avoid storing passwords in plaintext format, which attackers can easily read. Furthermore, never store your credentials in a browser.
Hashing and salting are methods of encoding passwords within larger strings generated by a password management solution, which translates them back to usable passwords when needed.
Stored passwords should always be hashed with a robust formula and encrypted. In some industries, such as financial services, password hashing and encryption are required by law. To increase security further, some verifiers may impose other measures, such as a maximum number of password attempts before lockout, timed sessions requiring re-entry of credentials, or multi-factor authentication.
Passwords should be at least 10 characters in length. They should also contain a combination of upper and lowercase letters, numbers, and special characters.
Multi-factor authentication (MFA) is a security process that requires users to respond to requests to verify their identities before they can access networks or other online applications. MFA may use knowledge, possession of physical objects, or geographic or network locations to confirm identity. When MFA is enabled, never give your password or MFA passcode to anyone over the phone or accept an MFA push notification that you did not request.
When users want to change passwords or recover forgotten passwords, challenge questions (which ask for correct responses to questions known to the user) can provide further confirmation of a user's identity. For example, a challenge question might ask for a mother's maiden name or the name of a user's first car.
Instead of having users store or remember complex passwords, biometric passwords provide physical proof of identities using devices that scan attributes such as fingerprints, faces, and voices. Requiring fingerprint or face scans has become a common security practice on smartphones. Cisco Duo supports the open WebAuthn standard for biometric authentication.