Dealing With Problematic Password Security Practices

Blog / Dealing With Problematic Password Security Practices

Password security can be a persistent problem.

Passwords have been central to cybersecurity and user authentication since the dawn of the modern computing era, and the logic behind using them has remained the same; people can prove they are who they claim to be by providing information only the appropriate user would know. That’s why passwords need to be kept secret. The introduction of multifactor authentication changed things up by including a second method of verification based on users’ access to personal devices or other email accounts, which can go a long way to improving your cybersecurity profile. It doesn’t make identity impersonation impossible, but it does make it a lot more difficult. Nevertheless, passwords remain an essential element of user authentication, which is why it’s important to understand how people undermine their own password security, and how to prevent it going forward.

During their infancy, computers’ relative lack of processing power and memory resources meant passwords had to be kept short, often to a maximum of eight characters. This limitation in length meant the only way to make passwords more secure was to make them complicated. Unfortunately, this also made them harder to remember, which in turn led to users physically writing their passwords down on scraps of paper at their desk or on post-it notes stuck to the sides of monitors. Unfortunately this was also during a time when the internet as we know it was still a fiction, so remote hacking was less of an issue and local bad actors were the security concern of the day. As a result, hackers back then didn’t need to crack a password; they just had to find whatever the password was written on and copy or steal it.

Alas, while computers, password recommendations, and technology all change (and fairly rapidly at that), people generally don’t. We’re not condemning or criticizing anyone, to be clear; it’s just human nature to find the fastest and easiest way to do things. However, it’s also true that when new tools, software features, and general advice become available, we tend to unintentionally undermine them with our own bad habits. For example, modern advice doesn’t just prohibit writing passwords down, but also directs users to make them long and change them regularly. And while it’s true that most people don’t write their passwords down these days, other bad behavior has developed, such as “changing” a password and making it longer by just adding a number to the end, like longpassword1, longpassword2, longpassword3, and so on.

How to easily improve password security

While it’s imperative that your organization have a codified password policy in place to ensure minimum security standards are maintained, the most effective way to prevent people from using problematic passwords is to implement a password manager. These applications store users’ login credentials so they don’t have to remember them, allowing for long, complicated passwords which don’t need to be remembered or written down. Indeed, one of the primary advantages of password managers is that you can set minimum values for things like password length, complexity and the inclusion of special characters, and how often to change them, so mandating the use of a centrally-controlled password manager allows an organization to ensure its password policy is  followed. Furthermore, not every system necessarily supports the same password security standards, but because most can generate their own random ones, password managers can be especially useful for authenticating user access to systems that don’t have a way of enforcing said standards.

Of course, there’s no such thing as a perfect solution, so it’s important to acknowledge one crucial downside, and that’s that password managers almost always require a long, complicated master password or passphrase to access the passwords within. If that master password is compromised, it means the user’s entire set of stored passwords has been as well. Fortunately a single, secure passphrase is much easier to memorize, so as long as staff don’t revert to writing it down on a sticky note that anyone can see or steal.

Problematic passwords are an excellent example of some of the challenges that can crop up when trying to better secure a system. Although it’s almost always unintentional, human beings often unknowingly undermine security practices, even if they’re meant to protect the person themself and not the business. Our generally noble but nonetheless flawed nature needs to be acknowledged and taken into account when considering your own cybersecurity, and password managers are a great tool for dealing with it. At least, in this context.

For more information about password security or to help select and configure a password manager for your own organization, contact a TRINUS cybersecurity expert and we’ll be happy to help out with some stress-free IT.

This quote comes from Henry IV: Part 1; “I am as vigilant as a cat to steal cream.”

 

Be kind to each other, courtesy your friendly neighbourbood cyber-man.

/Partners /Systems /Certifications

TRINUS is proud to partner with industry leaders for both hardware and software who reflect our values of reliability, professionalism and client-focused service.

View more partners