Tips

Best practices for protecting/maintaining passwords

  • Multifactor Authentication: MFA is one of the most effective techniques to provide additional security to a password-protected account. MFA-enabled accounts require a second factor, which is something that only you have access to. Even if an attacker discovers a password, they will not be able to access the associated account without also compromising the other factor, which could be a code delivered to you through text message or generated by an app.

  • Use Single Sign On Systems: Single sign-on (SSO) allows employees to access different applications and services with just one set of credentials. As a result, a user can get into their work computer and gain access to whatever they require without having to enter additional passwords. SSO can take the form of a web-based portal that allows a user to log in to all of their cloud services. The demand on a user to establish and remember strong passwords is greatly reduced as a result of this. However, if an attacker gains access to a user's account or password, they can significantly more stuff at their disposal than they would in a traditional system. So it is recommended that SSO be setup to require MFA.

  • Implement Account Lockout Policy: If a user enters an incorrect password a certain number of times in a certain amount of time, an account lockout policy disables the user's account. This policy aids you in preventing attackers from guessing users' passwords, lowering the likelihood of successful network attacks. Each unsuccessful domain logon attempt is recorded on the domain controller when the policy is set. The Domain Controller locks the account and stops it from successfully signing on once the threshold is met. The user can successfully connect to their account when the password is reset by an administrator or after the Active Directory ( AD ) account lockout duration time period is over.

  • Monitor Unsuccessful Logon Attempts: Strange login attempts should be monitored and users should be notified. Employees who are informed of unsuccessful login attempts might alert the organization if any of the attempts were not their own which can help the IT Administrators to investigate for password compromise.

  • Encrypt Plain Text Passwords: Employees frequently keep their work-related passwords in plain text in a document or email. With a few common searches, you can easily locate these files. The text must be encrypted if an employee uses this method.

  • Privileged Access Management (PAM): Privileged Access Management (PAM) refers to systems that manage the accounts of users with elevated permissions to vital company resources in a secure manner. Human administrators, gadgets, apps, and other types of users could be among them. For cyber criminals, privileged user accounts are a high-value target. This is due to their elevated system permissions, which allow them to view highly secret information and/or make administrative-level changes to mission-critical programs and systems.

  • Sharing: Employees frequently feel at ease exchanging passwords with coworkers or superiors. This is a risky practice. First, you lose accountability; because people have shared accounts, it is difficult to monitor who did what. Furthermore, if a password is disclosed, it may be disseminated more widely than originally intended.

  • Password Manager: You can use an electronic password manager, which is freely available on the Internet, as a safe alternative to writing down passwords. Read the terms of service, look at user reviews, and make sure the software is trustworthy before using it.

  • Owned: Your password could have been revealed in a third-party breach if your user account is owned. It is always a good idea to check your account for any breaches as mentioned in the tools above and change the passwords linked with the account as soon as possible. Sometimes the email account is linked to the enterprise network. So, if the enterprise email is hacked then there is possibility that the threat actors can use the same email id to access sensitive applications inside the office network. This helps to protect your password against breaches or leaks.

  • Complexity: Password complexity is one of the first things that everyone should think about. It is best to retain passwords that are at least 12 characters long, containing one CAPITAL, one number, and one symbol, and change them every 30 days.