To reduce the danger of password theft, users and security teams should take the following steps:
- As much as feasible, employ multi-factor authentication (MFA). MFA is a security method that requires users to validate their identity using two or more credentials, albeit it is not completely failsafe.
- Ensure that users participate in frequent security training activities, such as spotting and reporting suspicious emails and texts, in order to follow password hygiene best practices (even MFA is not immune to phishing).
- For each site or service, try to use various, non-guessable passwords. It’s preferable to use a password manager that isn’t free.
- Encourage people to choose lengthy, complicated passwords. All known cracking efforts can be defeated using a 12-character, totally random, computer-generated password, and using a 20-character password is even better.
- Account lock-out methods, a security technique that locks out account resources when repeated attempts are made to access them, must be used to secure admin credentials, APIs, and sensitive resources.
Remember to employ a defense-in-depth or layered strategy for the best password protection. This requires a combination of security policies outlining dos and don’ts, best practices, and incident response procedures, as well as training users on password hygiene and technical controls such as timely software patching, disabling weak hash algorithms and cryptography, monitoring systems for failed login attempts, performing account hygiene, and removing inactive users, and checking password exposure websites like haveibeenpwned.com to see if credentials have been compromised.
With everything going online, hackers will only improve their skills. If your company is serious about safeguarding its identity, data, reputation, money, and other assets, it’s time to rethink password security.