Top 6 Password Security Best Practices

Hackers attack passwords systematically, and it’s only a matter of time before they crack your login. What best practices can help secure your account?

What are best practices for creating a password?

Best practices for creating a password include the following:

  • Enforce complex passwords
  • Change passwords when compromised
  • Deploy anti-phishing measures
  • Use multi-factor authentication
  • Go passwordless
  • Use privileged access management

What Are the Challenges of Password Authentication?

Password authentication is one of the oldest forms of security, and that’s both a good and bad thing. On the positive side, passwords are simple to implement and ubiquitous, and good password hygiene can stand as a good first line of defense. On the other hand, passwords are often the easiest form of authentication to compromise. 

Why are passwords so easy to get past in a security system?

  • Hacking: Passwords can be hacked at the point of use (like an authentication portal or sign-in page) or in storage in the database. While passwords are easily changed, they can also get lost in the hack of major platform databases. 
  • Password Hygiene: Many users simply don’t use good password hygiene. Using the same passwords across multiple platforms or weak passwords that are easy to guess can provide hackers easy access to private data and systems. 
  • Social Engineering: It’s often acknowledged that users are the weakest link to security, and crafty hackers can use email, SMS, and other platforms to trick them into turning over their passwords under false pretenses. 

So why, exactly, do we still use passwords? Passwords are a specific type of authentication that, mixed with other types, can provide a good basis for account security. Passwords aren’t challenging to implement (at least, not on the surface) and are somewhat easy to manage. 

What Are Some Potential Attacks Against Passwords?

Passwords invite several different types of hacks or attacks, many of which can be combined for devastating results. These attacks are evolving every day, and some (like phishing) of the most common forms of hacks. 

Some of the potential attacks that threaten password systems include the following:

  • Brute-Force Attacks: Some of the bluntest attacks are tied to password spraying, brute-force attacks, and dictionary attacks. These types of hacksattempt to use tens of thousands of password combinations against security systems in hopes of guessing the correct one. Some attacks will also attempt to use collections of known default passwords in the hopes that administrators haven’t changed basic settings. 
  • Database Hacks: Some hackers bypass the passwords altogether and attack databases in the hopes of gaining thousands of passwords at a time. Some hackers can get access to databases specifically through flaws in password hygiene, but others can use methods like SQL injection or insider threats to gain access to these systems. 
  • Phishing: One of the most prevalent forms of attack, phishing, uses a combination of somewhat sophisticated false messaging and the realities of a distracted user base to gain access to user passwords. The numbers are on the side of phishing attacks—even one or two compromised accounts can provide massive returns in terms of system access. 
  • Poor Password Practices: An issue that extends across all of these challenges is poor password practices. Users who don’t pick complex passwords, reuse passwords, or fail to secure those passwords can not only cost themselves access to their accounts but also compromise their accounts on several other platforms. 

What Are Best Practices for Passwords?

When it comes to enterprise password management, it’s up to the business to implement and enforce best practices around security. These companies cannot count on their employees to manage that level of security on their own. This isn’t a negative comment on users overall but rather an acknowledgment that security is a systemic challenge, not just one for end users. 

Some best practices that you can start at your organization include the following:

Enforce Complex Passwords

No matter what kind of account users work with, ask them to create a password with a minimum length and complexity. This can include long passwords with some combination of alphanumeric characters (upper and lowercase) and special characters. More comprehensive and advanced password systems will disallow users to use common phrases or default passwords. 

Force Password Resets After Compromise

Changing passwords has a few benefits. First, it can protect systems against ongoing compromise—if an account has been hacked, and the user changes their password, then the hacker loses access and has to try again. Second, by forcing users to change their passwords, you can discourage using identical passwords across multiple platforms. 

To make this approach more effective, implement controls that disallow users to reuse the same password for an account.

Deploy Anti-Phishing Measures

If tricked by a phishing attack, users may give away their passwords. Of course, once this happens, the attacker can wreak havoc within minutes. 

One way to minimize potential phishing attacks is to warn users. For example, if a seemingly legitimate email appears to come from inside the organization, a warning can be automatically inserted into the body of that email, alerting the reader that it is not from a company address and encouraging them to ignore or report that email. 

Use Multi-Factor Authentication

Multi-factor authentication is one of the most necessary pieces of authentication security on the market. In fact, most legitimate regulations and security frameworks, like those published by the National Institute of Standards and Technology, the Payment Card Industry (PCI DSS), and the financial industry, require some form of MFA.

Multi-factor authentication should include at least two of the following categories of authentication methods:

  • Knowledge: The user knows a username and password combination, or a PIN, associated with their account. 
  • Ownership: The user owns an email account or device from which they can receive and provide a onetime password that’s dynamically generated over regular short intervals. 
  • Inherence: The user provides biometric information like a fingerprint, iris signature, or facial scan.

These days, most platforms either offer or require some form of MFA, usually through a biometric scan or OTP delivered to an email account or mobile device. 

Go Passwordless

While it might seem counterintuitive (since we are so used to having passwords), a passwordless system can mitigate most password security issues. Biometric passwords or pure passwordless authentication systems can essentially remove the obligation for users to manage complex login credentials and eliminate the issue of phishing attacks. If there isn’t a password to give away, there is much less risk of attack.

Use Privileged Access Management

While it was common to ask users to change passwords regularly, NIST recently recommended against this except in cases of breach or privileged accounts. In the latter case, the recommendation is to use passwordless authentication, change passwords regularly, and use heightened security around these credentials.

Get Rid of Your Passwords with 1Kosmos

Strong password security starts with advanced technology and best practices around authentication and cyber defense. With advanced biometrics, passwordless authentication, and multi-factor authentication, you can protect password information, avoid social engineering attacks, and secure privileged accounts. 

1Kosmos BlockID provides the tools and features necessary to protect systems against password attacks:

  • Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain and encrypts digital identities in secure enclaves only accessible through advanced biometric verification. Our ledger is immutable, secure, and private, so there are no databases to breach or honeypots for hackers to target. 
  • Identity Proofing: BlockID includes Identity Assurance Level 2 (NIST 800-63A IAL2), detects fraudulent or duplicate identities, and establishes or reestablishes credential verification.
  • Streamlined User Experience: The distributed ledger makes it easier for users to onboard digital IDs. It’s as simple as installing the app, providing biometric information and any required identity proofing documents, and entering any information required under ID creation. The blockchain allows users more control over their digital identity while making authentication much easier. 
  • Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through identity credential triangulation and validation.
  • Interoperability: BlockID and its distributed ledger readily integrate with a standard-based API to operating systems, applications, and MFA infrastructure at AAL2. BlockID is also FIDO2 certified, protecting against attacks that attempt to circumvent multi-factor authentication. 
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API, including private blockchains.

To learn more about enterprise password security, watch our webinar on Digital Identity, Passwordless Authentication and the Path to Frictionless Zero Trust Architecture. Also, make sure to sign up for the 1Kosmos newsletter. 

Overcoming Resistance to Change on the Journey to Passwordless MFA
Read More
Meet the Author

Javed Shah

Former Senior Vice President Of Product Management

Javed has spent his entire twenty year career designing and building blockchain and identity management solutions. He has led large customer facing pre-sales teams, led product management for identity management platforms like the ForgeRock Identity Platform and the ForgeRock Identity Cloud. Javed has an MBA from UC Berkeley.