Best Practices for Password Hygiene and Multi-Factor Authentication

By

Justin Quintero-Franco and Alexa Senott, Intern Analysts for Access Point Consulting

By

Access Point Consulting

Implementing strong passwords is essential to protect your online accounts from unauthorized access. Here's why:

Account Security

Strong passwords are essential for account protection because they act as a barrier to hackers, disallowing them from easily guessing or cracking weaker passwords. Weak passwords are susceptible to brute-force and dictionary password attacks. Implementing a strong password reduces the risk of unauthorized access.

Data Privacy

Online accounts contain sensitive information including personal and financial information. This information of great interest to hackers. It is essential to have a strong password because it keeps this information secure and private.

Identity Theft Prevention

Compromised accounts can be used by malicious actors to steal a person’s identity, creating many problems including the misuse of personal information and financial loss. Implementing a strong password minimizes this risk.

Best Methods to Create a Strong Password

Implement a Good Length and Combination of Characters

Passwords should contain at least 12 characters and include a combination of uppercase and lowercase letters, words, numbers, and symbols (!, $, #, etc.).

Avoid Using Personal Details

Passwords should be unique and not contain personal details that can be easily found, including pet names, names of family members, phone numbers, or birth dates.

Avoid Dictionary Words

It is best to avoid using common dictionary words. Many password-cracking tools available for free online can come up with a list of passwords based on dictionary words. If you must use dictionary words, add numbers and special characters to them.

Avoid Guessable Words

Avoid using easily guessable passwords such as “password” or “user.” This includes not using adjacent keyboard combinations such as “qwerty” or “12345.”

Other Solutions for Implementing Good Password Practices

Use a Password Manager

In the corporate context, maintaining a comprehensive record of employees’ password history and logs is important. Written record-keeping is insufficient; robust management and protection mechanisms are equally critical. Organizations should implement a secure system capable of storing passwords while employing strong encryption techniques. Password managers allow passwords to be shielded from unauthorized access, assess their strength; monitor to ensure that they are updated regularly. Password managers to consider include Google Password Manager, NordPass, Dashlan, and LastPass.

Avoid Reusing Passwords

Implementing a robust password management strategy is crucial for safeguarding sensitive information. To mitigate security risks, refrain from reusing passwords across various applications and accounts. Doing so minimizes the potential exposure in case of a breach across different platforms. Additionally, when recycling an existing password, refrain from using it until after three complete password change cycles.

Password Sharing

Passwords should remain confidential and exclusively within an individual’s control. Disclosing passwords to others introduces an additional avenue for threat actors to compromise devices, thereby heightening vulnerability to attacks. Furthermore, using someone's passwords across systems poses significant risks. Not only does it grant an attacker access to multiple systems, but it also violates company policies and undermines the overall strength of password security.

Multi-Factor Authentication

Multi-Factor Authentication (MFA) is a critical security control in both corporate and personal environments. By introducing an additional layer of protection beyond passwords, MFA significantly reduces the likelihood of unauthorized access by threat actors. Even if an attacker gains access to a password, MFA acts as a stopgap. It requires the approval or entry of a secondary authentication factor (such as a time-based code, biometric data, or a hardware token) before granting system access. This layered approach enhances overall security posture and mitigates the impact of compromised passwords.

Password Policy

In a corporate context, establishing a comprehensive password policy is essential. This involves defining what constitutes a strong password, implementing password change cycles, prohibiting password sharing, and outlining consequences for weak passwords. By adhering to such policies, organizations enhance security posture and protect sensitive data.

Password Storing

Passwords should not be stored where they can be accessed by others. Password managers are a useful tool for storing passwords. If you prefer to physically write down passwords, keep them locked in a secure location.

What to Do if Someone Obtains Your Password?

Change Your Password

If you suspect that your password has been stolen, it is important to immediately change your password. If you use the same password across multiple accounts, it is highly recommended to change those as well. Implement a new robust password that is different from your previous password.

Sign Out from All Devices

Force a logout of your account from all devices to prevent further unauthorized access.

Enable Multi-Factor Authentication

Implementing multi-factor authentication methods will add an extra layer of security to your account on top of having a password. There are many forms of additional authentication including PINs, security questions, and biometrics.

What is Multi-Factor Authentication?

Multi-Factor Authentication (MFA) authenticates users using multiple verification factors. By combining two or more factors, multi-factor authentication makes it much more difficult for a malicious actor to obtain account or system access.

Multi-Factor Authentication Examples

Multi-Factor Authentication methodology combines these three elements:

Knowledge

Knowledge is based on something you know. It involves anything you can easily remember and recall. Some examples include passwords, PINs, code words, combinations, and security questions.

Possession

Possession focuses on something you have such as keys, badges, smart phone, USB drives, token devices, etc. Some examples include badges, security keys, smart phones, USB drives, software tokens and certificates.

Inherence

Inherence is a state or quality of being inherent, or a fixed characteristic such as your fingerprint or face. Biometric technologies use inherence to verify identity.

Multi-Factor Authentication Methods

Email Codes

When attempting to log into an account, a unique code is sent to the registered email address. The code is then entered on the login page to verify the user’s identity.

One-Time Passwords (OTPs)

One-Time Passwords are delivered through text message or phone call. When a user attempts to log into an account, an OTP will be sent to the phone number associated with the account. The OTP is then entered on the login page to verify the user’s identity.

Biometrics

Biometrics are the unique physical or behavioral characteristics of a user with which only they can be identified. Biometric verification methods include voice recognition, facial recognition, retina scans, iris scans, and behavioral analysis.

Security Questions

Security questions ask for information only the user knows such as the name of their first pet, hometown, or first employer. Security questions are a relatively weak form of validation and are best used in conjunction with a password.

Authenticator Apps

Authenticator apps are a newer, increasingly popular multi-factor authentication method that do not rely on a phone number or email address. These apps generate OTPs which can be entered on the login page to verify the user’s identity.

Magic Links

Magic links are sent to the user’s email address after the initial login attempt. This link is unique and can only be used for a short amount of time before it expires. The link can directly authenticate the user after it is clicked on.

Social Login

This MFA method allows users to authenticate using existing social media accounts such as LinkedIn and Facebook. Using this method requires additional security checks through OTPs and email confirmations.

Smartcards and Cryptographic Hardware Tokens

Smartcards and cryptographic hardware tokens provide an additional layer of security that only allows users who have them in their possession access to a secure system. Smartcards are credit-card sized devices with an embedded chip that stores and processes data. Cryptographic hardware tokens are small devices that generate unique codes at set intervals, which is used to gain access to a system.

Other Types of Multi-Factor Authentication

Location-Based

Location-based MFA looks at the user’s IP address and geographic location, if applicable. If the information does not match with what is specified on a whitelist, the user’s access is blocked. Additional verification is required when an authenticated user needs to specify a location or IP change. Location-based authentication may also used as a supplemental form of authentication.

Risk-Based

Risk-based MFA analyzes additional factors by considering the context and behavior during the authentication process and calculating a risk level. To determine whether additional authentication is required or to block access completely, the user must answer questions like these

  • From what location is the user trying to access information?
  • When is the user trying to access information?
  • What kind of device is being used?
  • Is the connection through a private or public network?

How to Set Up Multi-Factor Authentication

Websites and services often prompt users to provide a phone number, additional email addresses, and/or a backup code. These are paired with a password to provide an additional layer of security.

Summary

By following best practices for creating strong passwords and using tools like password managers and multi-factor authentication, you can significantly enhance your account security, data privacy, and identity theft prevention. Stay vigilant in managing your passwords to stay safe online.

References

Everything you need to know about multi-factor authentication. (n.d.-a).

Microsoft. Microsoft Support. (n.d.).

Password do’s and don’ts. Krebs on Security. (n.d.).

Solomon, S. (2024, May 1). 8 multi factor authentication types and how to choose. Frontegg.

The first thing you should do if your password is stolen. Bustle. (2017, July 11).

The three types of multi-factor authentication(mfa). Global Knowledge. (n.d.).

What is multi-factor authentication (MFA)?. OneLogin. (n.d.).

Resources

Trending Articles & Security Reports

Resources

CyberWatch

November 22, 2024

Patch Updates, New Malware Threats, and the Ongoing Supply Chain Battle

On this episode of the CyberWatch podcast, there are updates to software across the application and OS spectrum. New malicious campaigns are threatening victims of all sizes, and researchers have performed dissections on malware to give defenders new clues about just what it is they're fighting. All this today, in CyberWatch.

Find out more
October 25, 2024

Ransomware, Supply Chain Attacks, and Nation-State Threats

CyberWatch, by Access Point Consulting, is your weekly source for emerging cybersecurity news, regulatory updates, and threat intelligence. Backed by experts in security consulting, regulatory compliance, and security operations, Access Point enables you to manage cyber risks, respond to incidents, and drive innovation in your company. Read here or on our website; listen on Spotify or Apple Podcasts; or watch on YouTube.website; listen on Spotify or Apple Podcasts; or watch on YouTube. .

Find out more
October 7, 2024

VINs and Losses: How Hackers Take Kias for a Ride

In the age of smart cars and connected devices, convenience often comes with hidden risks. A recently discovered critical vulnerability in Kia vehicles serves as a stark reminder of how our increasingly digital world is making cars new targets for cyberattacks. This vulnerability allowed hackers to remotely control various vehicle functions—using nothing more than a car's license plate number. It highlights the growing threat of cyberattacks on connected cars and the importance of cybersecurity in the automotive industry.

Find out more