A simple method for password security is to blacklist commonly used password security choices. This way, employees have no choice but to create non-standard passwords for their accounts that are less likely to be broken through brute force.
Account Lockout —Remember to lock accounts after a certain amount of password attempts are made. Try to aim for 5-10 attempts before activating the account lockout.
Change Passwords — Make it a requirement that employees must change their passwords if they suspect their current passwords to be compromised.
Check Password Strength — Many organizations offer tools for this.
Recommended Password Length — We recommend making your passwords at least 12 or 16 characters in length. 12 characters give you over three sextillion possible character combinations.
Use Single Sign-On (SSO) or Password Manager Applications — SSOs connect your business’s various systems and applications so that you only need to remember one password. Popular SSO applications include LastPass, Keeper Business, and OneLogin.
Check for Plain-text — Plain-text passwords make it easy for traffic interception attacks; do a periodic check for plain-text passwords in your employee files.
Implement multi-factor authentication (MFA) — MFAs only grant you access to an application after you showcase two or more pieces of evidence that you are the correct user.
Set a standard Password Reset Time — reset passwords once every 90 days.
Use Alphanumeric Passwords — (uppercase and lowercase) and numeric characters, and special symbols.
Password Hints — avoid since personal details are usually on social media profiles. If you do, make sure the hint information isn’t easily accessible.
Keep Passwords Private — don’t share passwords with anyone, including IT staff.
Protect Against Specific Password Security Attacks
First, conduct phishing tests, a service that often comes with auditing and compliance services from your managed service provider (MSP).
Of course, we’ve done these tests for many companies to gauge their vulnerability for phishing and other cybersecurity threats. Findings tend to be very eye-opening regarding the number of employees who click unknown links or share login details.
Brute Force Attacks
Remember the recommended password length of at least 12-16 characters and passwords must not be dictionary words or commonly used phrases, which are easy to guess.
Then, you can limit logins to a business’s specified IP address or range, which is a geolocation restriction. Remember, remote workers’ access may be hurt by geolocation restrictions.
You should restrict the amount of time allowed between attempts. This drastically increases the time it takes to break in brute forces, sometimes the difference between days and years.
Make sure to encrypt data using current standards and you’re using the latest versions of transport layer security (TLS) and secure socket layer (SSL) for emails and other logins.
Protecting against social engineering attacks can be difficult since they can occur in person without you or your employees even realizing it.
Outside of doing your best to verify the credentials of someone in an email, on the phone, or in person, one of the best things you can do is to educate your staff on the subject.
Your organization should also implement an internal IT reset policy to verify the identity of IT administrators requesting a password reset. This ensures that you’re actually resetting verified user accounts and not giving them ongoing access. Remember: never reveal your passwords or log-in credentials to anyone outside your organization.
Man in the Middle (MITM)
An easy way to counter MITM attacks is to make sure you’re using up-to-date SSL and TLS software. Having strong encryptions on your access points will also mitigate the risk of this attack.
When you or your employees are working remotely, use a virtual private network (VPN). This creates a secure environment for private data from which you can access your local area network.
Most anti-virus software mitigates the risk of keylogger attacks nowadays, but you can also use specially designed anti-keylogger software like SpyShelter.