There are many ways to increase the security of a password. In this video, you’ll learn about password complexity, password managers, passwordless authentication, and more.
When you’re choosing a password, you often see instructions on creating a password that will be difficult for someone to guess. This would prevent an attacker from using some type of password spraying or brute force attack. The goal is to create a password with an increased amount of entropy. Entropy describes how unpredictable a password might be. To meet those requirements, you don’t want to use single words or something that might be obvious. Ideally, you’d create a password that included upper and lowercase letters, numbers, and special characters all in the same password.
And you’ve probably seen cases where there is a minimum length of a password. Ideally, you’d want a password that is at least eight characters, although we’re seeing password requirements increase that number as the processing speeds and capabilities of our systems become that much more efficient.
In some cases, we’re encouraged to use a phrase or set of words so that we have a much longer password. Once a password is set, a timer starts that defines the password age. This password age is then evaluated after a certain duration to determine whether we would want to change that password. For example, many passwords will expire in 30 days, 60 days, 90 days, or some other value.
You’ve probably seen notifications that remind you that your password is going to expire in a certain number of days and that you’ll need to change this password as soon as possible. If you don’t change the password and the password expires, then you won’t be able to log in to that account.
And many systems will remember your password history, so you can’t reuse a password that you may have used in the past. Of course, these password expirations are determined by the system administrator. If this is a critical system, you may find that your passwords need to be changed every 15 days or 7 days so that you constantly have a different set of passwords in use.
The best practice is to use a different password for each account. This would prevent somebody from gaining access to one of your passwords and being able to access many accounts with those same credentials. The problem, of course, is remembering all of these different passwords across all of these different accounts. For that reason, we may want to take advantage of a password manager.
A password manager allows you to store all of your passwords in one single database. This database obviously contains a great deal of sensitive information, so we add additional security to gain access to that database. For example, the password manager itself encrypts all of the information stored in the database. And to gain access to the database, you may need to provide additional authentication credentials or multifactor tokens.
Many operating systems are including a password manager built into the OS itself, and you can download and use many third-party password managers as well. There are also solutions available for the enterprise so you can have every employee in your organization taking advantage of using a secure password manager.
Once you log into your password manager, you have full access to all of the saved passwords, and you can get a summary of how healthy those passwords might be. This might give you some feedback on whether a password may have been compromised or whether you need to make passwords a bit more secure. I like the feature in my password manager that allows me to generate new passwords automatically with a random amount of data and to automatically add those to the form that I’m filling in. This allows me to easily create unique passwords for every site that I use.
Unfortunately, many people don’t take advantage of password managers or they tend to reuse passwords across different sites. This makes it very easy for an attacker to gain access to a user’s data. Because of this, many systems have moved to a passwordless method of authentication where you would not use a password to log into a system. This would certainly solve the problem of password reuse, and you don’t have to remember a password to log into a system.
You might already be using passwordless authentication. If you have a mobile phone and you unlock that phone with a face recognition, you didn’t have to put in any password to gain access to that system. And when I log into Windows, I use a personal identification number instead of using a password. In all of these cases, the passwordless authentication is often used in conjunction with a password or some other type of authentication factor. This means that we may need to use our password initially. But from that point forward, we can use the passwordless authentication.
The use of passwords becomes much more complex in an environment where you have many people logging into many different systems, as we do in many IT departments. So instead of using single passwords that are assigned to an individual user, we use just-in-time permissions. This allows a technician to receive administrative access for a limited amount of time using a set of credentials that is also temporary. This solves the problem of a technician needing administrator rights but not having those rights normally associated with their login. This allows the technician to use those administrator rights to solve a particular problem or fix an issue, and then those rights will time out normally. This means, if an attacker does manage to breach an individual user’s account, they would not have administrator access to the systems.
To start this process of just-in-time permissions, the user would request permission from a central clearinghouse. This clearinghouse is responsible for allowing or not allowing access based on a set of security policies that were previously configured. That central clearinghouse or password vault contains primary credentials that would allow someone access to a system. But instead of handing out those primary credentials, the vault is going to set different controls for each individual user.
The just-in-time process is going to create a new set of credentials based on those primary credentials. Those new credentials will be assigned to a user, and they’re assigned on an ephemeral basis, which means they will only be temporarily assigned. This means your primary credentials will never be shown to anyone else. And once the technician uses those temporary credentials, they can then be deleted after that session is complete.