Sometimes it can feel like all of the various systems, tools and apps are just one step away from asking you to submit a blood sample each time you log in. We get it; passwords can be a pain. You know they’re needed, but the requirements that go into creating a secure password aren’t always fun to deal with. That said, anyone who’s experienced a data breach of any kind will tell you that proper password security is worth the extra effort. But it's a fine line, right? You want security, but you also want a positive user experience.
So what’s the right balance? Which password security measures are worth embracing with open and enthusiastic arms? Today, we’ll discuss what password experts say are the top must-haves for password security.
The National Institute for Standards in Technology (NIST), the FBI, and many other government and cybersecurity experts agree that length, even more so than complexity, is a critical driver in password security. Making passwords more complex with letter, number, special character and case requirements is still valuable in fending off attacks, but you also need longer passwords.
But how long is long enough? Password length requirements vary greatly across organizations, platforms and business sectors. However, we’re finding that more platforms (particularly those containing highly sensitive information) are quickly moving toward 15-character minimums. But why 15? Well, according to a well-respected study from cybersecurity company Hive Systems, a complex, 15-character password is virtually impenetrable.
In their study, Hive Systems analyzed the amount of time it takes a hacker to crack passwords of various lengths and complexity using brute force, a popular hacking method involving trial and error. The data shows that even without additional security safeguards like device detection, account locking and multifactor authentication in place, a 15-character password containing numbers, upper and lowercase letters, and symbols would take a modest 1 billion years to crack!
Multifactor authentication is an electronic security method that requires a user to provide two or more forms of identity verification before they’re able to log in to a system. For example, our HCM solution gives users two options. Users can download an authenticator app, such as Google Authenticator, to generate time-sensitive, one-time codes for entry at login (note: this is the preferred method, especially for system admins). Or, users can receive a code via text, email or phone call when the system determines that an extra layer of verification is needed, like when an attempted login occurs from an unrecognized device. Whatever the case, experts agree that multifactor authentication is a must-have in today’s online environments.
According to Hive Systems, “two-factor authentication is the best way to protect your most sensitive accounts.” Even Microsoft echoes this sentiment in public claims that multifactor authentication can block over 99.9% of account compromise attacks. So, while verifying your identity with a unique code might feel like an extra step, it’s worth its weight in (security) gold.
Passwords that do not expire
Intuitively, it might seem like resetting your password periodically is a safer practice than simply sticking with the same password for longer. However, that’s not the case. Research shows that when routine password resets are required, passwords actually become less secure. Reason being, people who are required to change their passwords typically create weaker substitutes and update them in predictable ways.
The average person has over 100 passwords, so if someone is forced to change their password every 30, 60 or 90 days, they’ll likely pick a slight variation of an already existing password, making it easier for hackers to crack. Therefore, unless there is a reason to believe that a password has been compromised, it’s a good idea not to implement password change mandates. That said, when a password change is warranted, remember that moving from P@ssword1 to P@ssword2 isn’t exactly effective either. Always choose a new password that’s complex, long and unique from any other passwords you use.
Getting locked out of a system for entering an incorrect password can be frustrating to users. However, according to NIST and other security experts, account locking is an important safety measure for technology providers and system admins to implement. By locking an account after a designated number of failed login attempts, organizations can better deter hackers (or hacker bots) from entering password combination after password combination until they guess the magic combo. But again, it’s a fine line.
An important part of balancing user experience with the necessary level of security is to establish a reasonable yet safe lockout strategy. With our system users, we’ve found that five attempts before lockout and a lockout period of one hour is a nice balance. We pair this with the option for system admins to authorize a CAPTCHA test (this adds another layer of security against bots and automated attacks) and the ability for managers to immediately reset employee passwords upon request. But whatever a system provider or your organization decides, a lockout of some kind is indisputably an important line of defense to put in place.
Bypassing passwords altogether
In many cases, passwords are a necessary evil. Dramatic? Well, what we mean is that passwords drive security, but they're not much fun for people to come up with, manage and remember. And really, the majority of people rely on pretty weak passwords (thus all the system-enforced password requirements). Therefore, avoiding passwords altogether isn’t a terrible idea and can work wonderfully in certain scenarios.
For example, do you use time clocks to track when your employees clock in and out? Some time clocks on the market don’t require users to leverage passwords. Instead, they allow them to perform time clock actions following the simple swipe of a badge or biometric scan of their finger or face. Depending on your user base, secure password alternatives may be worth exploring and implementing to bolster user experience and offset other areas where passwords are the only option.
Security alerts and notifications
While so much of password security is automated nowadays, there’s still a level of human oversight that’s needed. Managers and system users absolutely must be made part of the security process. One way to do this is to utilize automated alerts and notifications that are already available within a platform. For example, our system users and admins can receive an email and/or text as soon as something fishy (or should we say phishy) occurs. Depending on an organization’s preferences, they can set up notifications that trigger for any number of reasons, including when an email id changes, an account locks, an attempted login occurs outside of a list of approved IP addresses, a password changes and more.
Notifying the right people that there’s a potential issue is step one, but it’s also worth putting backup safeguards in place to ensure people can act quickly when there’s a real threat. We’ve all experienced a full inbox before; it’s easy to ignore emails or tell yourself you’ll get to them later. This is not unusual. But what if there’s a real password security breach? Wouldn’t it be better for the right people to receive not only an email notification, but also a text right to their phone? Or what if a user's email has also been compromised? Wouldn’t a backup text be a good thing?
Setting up dual methods of notification increases the odds that someone will be notified and take action faster. Therefore, make sure that you're taking advantage of opportunities to build in the necessary redundancy. You won’t regret it.
Security takes many forms
The importance of password security cannot be understated. Embracing the safeguards put in place by your software providers and adopting safe password practices of your own can make all the difference in protecting your data. Interested in learning more about how our HCM solution, Workforce Ready, approaches security? Click here for an overview.