Sometimes it can feel like all of the various systems, tools and apps are just one step away from asking you to submit a blood sample each time you log in. We get it; passwords can be a pain. You know they’re needed, but the requirements that go into maintaining a healthy password strategy aren’t always fun to deal with. That said, anyone who’s experienced a data breach of any kind will tell you that the extra work is worth it. But it's a fine line, right? You want security, but you also want a positive user experience.
So what’s the right balance? Which measures are worth embracing with open and enthusiastic arms? Today, we’ll discuss what experts say are the top must-haves for password security.
The National Institute for Standards in Technology (NIST), the FBI and many other government and cybersecurity experts agree that length, even more so than complexity, is a critical driver in password security. Making passwords more complex with letter, number, special character and case requirements is still valuable in fending off attacks, but you also need longer passwords.
But how long is long enough? Password length requirements vary greatly across organizations, platforms and business sectors. However, we’re finding that more platforms (particularly those containing highly sensitive information) are quickly moving toward 15-character minimums. Why 15? Well, according to a respected study from cybersecurity company Hive Systems, a complex, 15-character password is “virtually impenetrable.”
In their study, Hive Systems analyzed the amount of time it takes a hacker to crack passwords of various lengths and complexity using brute force, a popular hacking method involving trial and error. The data shows that even without additional security safeguards like device detection, account locking and multifactor authentication in place, a 15-character password containing numbers, upper and lowercase letters, and symbols would take a modest 1 billion years to crack! So while it may feel like extra work to add length to your already complex passwords, it is absolutely worth it. There might even be a few “shortcuts” you can take. For example, our human capital management (HCM) system includes spaces in its overall character count, which makes it that much easier to add additional length to your passwords.
Multifactor authentication is an electronic security method that requires a user to provide two or more forms of identity verification before they’re able to log in to a system. According to Hive Systems, multi-factor authentication is “the best way to protect your most sensitive accounts.” Even Microsoft echoes this sentiment in public claims that multifactor authentication can block over 99.9% of account compromise attacks.
Thankfully, when it comes to multifactor authentication, there are a range of verification options available, including methods that allow users to obtain a unique verification code via an authenticator app, text, email or phone (voice) call. Of these options, authenticator apps, such as Google Authenticator or Microsoft Authenticator, are usually the preference, as they are incredibly secure and very convenient to use. That said, multi-factor authentication of any kind is significantly more secure than just leveraging a password on its own. So, while verifying your identity with a unique code might feel like an extra step, it’s worth its weight in (security) gold.
Occasional password resets
Resetting your passwords from time to time is a good practice. The problem is that most people aren’t doing this on their own; they need someone (or something) to make them do it. That’s why most systems will force users to occasionally reset their passwords. But even that is a delicate balance for system providers to figure out. Requiring users to reset their passwords every so often can be beneficial. But do it too often and users may end up creating new, but weaker and more predictable passwords. So what’s the right frequency for password resets?
There is no magic number. That said, our technology partner at UKG has consulted with leading cybersecurity firms on the subject and they’ve determined that a password reset every 6 months is a safe yet manageable strategy. Just make sure that when you do update your passwords that you’re following best practices and choosing a new password that’s complex, long and unique from any other passwords you use. And of course, if your password security has been compromised in any way, make sure you update any passwords immediately.
Getting locked out of a system for entering an incorrect password can be frustrating to users. However, according to NIST and other security experts, account locking is an important safety measure for technology providers to implement. By locking an account after a designated number of failed login attempts, platforms can better deter hackers (or hacker bots) from entering password combination after password combination until they guess the magic combo. But again, it’s a balance.
An important part of balancing user experience with the necessary level of security is a reasonable yet safe lockout strategy. These strategies vary from platform to platform, but typically the more aggressive the lockout strategy, the more sensitive the data. Our advice would be to trust the lockout strategy a system provider recommends or has in place, as they likely have experience with what’s most effective.
Bypassing passwords altogether
In many cases, passwords are a necessary evil. Yes, that’s a little dramatic, but what we mean is that while passwords drive security, they're not much fun for people to come up with, manage and remember. And really, the majority of people rely on pretty weak passwords (thus all the system-enforced password requirements). Therefore, avoiding passwords altogether isn’t a terrible idea and can work wonderfully in certain scenarios.
For example, do you use time clocks to track when your employees clock in and out? Some time clocks on the market don’t require users to leverage passwords. Instead, they allow employees to perform time clock actions following the simple swipe of a badge or biometric scan of their finger or face. Depending on your user base, secure password alternatives may be worth exploring and implementing to bolster user experience and offset other areas where passwords are the only option.
But it doesn’t have to be all or nothing. If going entirely password-free isn’t realistic, there may be other ways to minimize the number of passwords people need to manage. For instance, many cloud-based tools integrate with what’s called a single sign-on (SSO) service. SSO services provide subscribers with a convenient way to access multiple applications and sites with just one set of credentials. So instead of logging in to all of your individual systems and tools, you can enter one password to gain access to all of your go-to platforms. Pretty slick, right?
Security alerts and notifications
While so much of password security is automated nowadays, there’s still a level of human oversight that’s needed. Admins, managers and system users absolutely must be made part of the security process. One way to do this is to utilize automated alerts and notifications that are already available within a platform. For example, our system users and admins can receive an email and/or text as soon as something fishy (or should we say phishy) occurs. Depending on an organization’s preferences, they can set up notifications that trigger for any number of reasons, including when an email id or password changes, an account locks, an attempted login occurs outside of a list of approved IP addresses, and more.
Notifying the right people that there’s a potential issue is step one, but it’s also worth putting backup safeguards in place to ensure people can act quickly when there’s a real threat. We’ve all experienced a full inbox before; it’s easy to ignore emails or tell yourself you’ll get to them later. This is not unusual. But what if there’s a real password security breach? Wouldn’t it be better for the right people to receive not only an email notification, but also a text right to their phone? Or what if a user's email has also been compromised? Wouldn’t a backup text be a good thing?
Setting up dual methods of notification increases the odds that someone will be notified and take action faster. Therefore, make sure that you're taking advantage of opportunities to build in the necessary redundancy. You won’t regret it.
Security takes many forms
The importance of password security cannot be understated. Embracing the safeguards put in place by your software providers and adopting safe password practices of your own can make all the difference in protecting your data. Interested in learning more about security within our HCM solution? Click here for an overview.