Password security is a must for everyone — businesses, organizations, and private individuals alike. Yes, I know — I can already hear the “duh” resounding in your head. But the reason we’re taking the time to write an entire article that’s dedicated to password security is because:
- Not enough people take password security seriously. You probably can think of a few people who match this description off the top of your head.
- Many people don’t know what constitutes a strong password. There are a lot of different guidelines regarding what’s a good password versus a bad password. We’re going to clarify that for you.
- There is more to effective password security than just creating strong passwords. Yes, it’s true. Using strong passwords is only one part of the equation. But there are several other important considerations and things you need to do to increase your organization’s password security effectiveness.
So, what is password security? What do strong and weak passwords look like? What are the risks associated with not having strong password security for your organization? And what other considerations are there for password security aside from creating strong passwords?
We’ll answer these questions and also go over some quick password security tips as well at the end (for those of you who don’t want to read the entire article).
Let’s hash it out.
What Is Password Security?
Password security is the combination of policies, processes, and technologies that make passwords and authentication methods more secure. It’s all about knowing how to protect passwords. A password itself is a type of memorized secret authenticator. Basically, it’s something that only you should know that allows you to authenticate yourself to third parties. Other examples of authenticators include cryptographic devices, one-time passwords or PINs, and key access cards.
But what constitutes strong password security? For a password to be considered secure, it means that it must:
- Prevent unauthorized users from gaining access to protected systems, information, and data.
- Have sufficient complexity so that it’s impractical for someone else to guess or crack.
- Be memorable enough for you not to forget (after all, what good is a password if you have to reset it continuously?) or use a password manager (which, of course, has its own risks).
- Be something that you keep secret and don’t share with anyone else.
- Must be stored securely and in a way that prevents compromise.
Although passwords weren’t introduced until the 1960s, passwords have become central to account security and overall cybersecurity for organizations and users alike. But password security accounts for more than just the password itself. It also must speak to the policies, procedures, technologies, and training that protect those passwords and the access they provide. For example:
- Creating and implementing a computer use policy and/or a BYOD policy that indicates what accounts may be accessed on which devices, requires the use of a VPN when working remotely or connecting to public Wi-Fi, etc.
- Creating and enforcing a password policy that addresses specific password creation, storage, and maintenance requirements.
- Providing training and guidance to employees to help them understand the importance of creating a secure password and following password management best practices.
Why Is Password Security Important?
Human error is a big issue, and as long as companies employ humans, that issue isn’t going away any time soon. Users are human, and humans make mistakes. (No matter what your mom told you growing up, no one is perfect.) And data from an IDC report underscores that concern.
Data from an IDC report shows that nearly two-thirds (62%) of their IT- and non-IT 2019 survey respondents indicate that user errors are the leading cyber threat to their businesses. And those employees who posed the greatest level of concern were your everyday, run-of-the-mill users — not the executives or those with any unique or special access privileges.
If users can’t remember their passwords, this results in them having to reset their passwords. The estimated costs that are associated with resetting passwords are significant at scale. Forrester Research shared years ago that the costs associated with an individual password reset come to about $70. Now, multiply that by the number of requested password resets your IT team receives per year.
Sure, you can potentially reduce costs by automating the password reset process. But you’ll still run into the issues of users creating simple passwords and sharing passwords.
What are some other key considerations when it comes to the importance of password security?
Regulatory Compliance Concerns
Compliance is an area that should be on the radar of all applicable organizations. There are multiple regulations and regulatory bodies requiring organizations to meet specific standards for identity authentication and data protection. There are also other organizations that set standards and provide guidance that companies and other organizations can follow. These include:
- The National Institute of Standards and Technologies (NIST) — a set of standards/guidelines that don’t require compliance.
- Payment Card Industry Data Security Standards (PCI DSS) — regulations that require compliance.
- General Data Protection Regulation (GDPR) — legislation that requires compliance.
Non-compliance issues can have lots of effects on a business or organization, ranging from operational impacts to financial ones. Let’s quickly go over some of these considerations.
NIST
Okay, although NIST’s guidelines are requirements for U.S. federal government-affiliated agencies and entities, they provide great recommendations and standards for other organizations to follow as well when it comes to securely storing password-related data. (No compliance required for non-fed agencies.)
Let’s consider the identity guidelines NIST published in their special publication SP 800-63B Digital Identity Guidelines. In section 5.1.1.2, which is on the topic of protecting and storing memorized secret verifiers (i.e., passwords), they recommend allowing users to paste passwords. The practice of password pasting was perceived to be a bad thing but many in the cybersecurity community viewed it as a good thing because it encouraged users to use longer passwords that are harder to remember. (Whereas if you disable password pasting, people are more likely to use shorter passwords that are easier to type.)
In that same section, NIST also shares the following guidance regarding how passwords are stored:
“Verifiers SHALL store memorized secrets in a form that is resistant to offline attacks. Memorized secrets SHALL be salted and hashed using a suitable one-way key derivation function. Key derivation functions take a password, a salt, and a cost factor as inputs then generate a password hash. Their purpose is to make each password guessing trial by an attacker who has obtained a password hash file expensive and therefore the cost of a guessing attack high or prohibitive.”
A hash is a one-way cryptographic function that’s essentially irreversible. By adding a unique salt to a password prior to hashing it, what you accomplish is creating a completely unique hash value for every password — even if users are using the same password.
Let’s say you have two users using the same password SpockR0ck$KirksSocks. (Note: don’t actually use this as your password. I’m just giving you an example here!) If you were to hash that password for user one, then you’d wind up with an identical hash digest (hash value) for user two. The way to ensure that doesn’t happen is to add a salt, which is a random and unique value. For example, a salt could be something like uSEt3hF0rceHaRRy.
Let’s take a look at how the process works for adding a salt to your password prior to hashing it in the following infographic:
So, the key takeaway here is that salting a password prior to hashing it makes cracking the password hash too costly (i.e., impractical) for cybercriminals to achieve at scale. So, this means that hash tables and rainbow table attacks don’t work on salted passwords.
Cool, good to know. And we’ll speak more to hashing and salting a little later in this article. But for now, let’s continue on with our list of compliance-related considerations.
PCI DSS
Let’s consider the Payment Card Industry Data Security Standard, or what’s known as PCI DSS. This regulation is outlined by the PCI Security Standards Council, the founding members of which include the five major credit card companies (VISA, Mastercard, American Express, Discover, and JCB International). If your organization accepts online credit card payments or handles payment card-related data, then heads up — this is for you.
PCI DSS has a total of 12 requirements that organizations and businesses that handle this type of data must adhere to. And PCI DSS compliance applies to any businesses globally that handle this type of data — it’s not just applicable to U.S. companies.
If your organization is non-compliant with any of the PCI data security requirements, then you could face significant fees. However, those fees won’t come from the council itself — instead, they’ll be imposed by the card companies themselves. And we’re not talking chump change here, either. PCI non-compliance can result in fines ranging from $5,000 to all the way up to $100,000 per month — and each individual credit card company could impose those penalties. So, the overall total may actually be higher!
A $5,000 penalty for a large corporation might seem like very little, but it could make or break small businesses. However, the specific amount of a penalty depends on a few key factors, including your organization’s size and the severity of your non-compliance. So, a large corporation would face much larger penalties than mom-and-pop businesses that are non-compliant.
Wondering why we’re talking about payment card-related data in an article on password security? Here’s why. PCI DSS requirement 8 focuses on identity and authentication. As you can imagine, this section speaks to password security.
The most recent version of the data security standard (version 3.2.1) says that the effectiveness of passwords boils down to an authentication system’s design and implementation. In particular, “how frequently password attempts can be made by an attacker, and the security methods to protect user passwords at the point of entry, during transmission, and while in storage.”
The Payment Card Industry Data Security Standard (PCI DSS) 8.2.1. says the following:
“Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components.”
This speaks to the importance of using cryptographic processes to secure data and following password storage best practices. Of course, we’ll speak more to that a bit later.
GDPR
Alright, let’s jump across the pond for a few moments and take a look at the European Union’s General Data Protection Regulation.
Passwords aren’t specifically mentioned in the GDPR. But something that is mentioned for data processors in GDPR article 28 is that they need to demonstrate “appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.” Likewise, article 25 specifies that the controller (the person who decides what data is processed and how) must also implement such…