Welcome to “Security Threats: Password Management Techniques.” After watching this video, you will be able to: explore password management best practices, identify strong and weak passwords, and explain the difference between SFA, 2FA, and MFA. Strong passwords and an effective password strategy are essential to online security. People tend to use the same passwords across personal and business accounts. But weak or stolen passwords account for more than 80% of company data breaches. Each online account should have a unique password, especially corporate accounts. And employee training should exist to explain why password management and data security is so important. A password policy is a set of rules that provide guidance on using strong passwords. Password policies should require: a minimum length of 12 characters, a mix of upper- and lower-case letters, numbers, and special characters, a unique password for each account or device, including personal devices used for work, a mandatory password change every 6 to 12 months, employee training on cyberattacks, and notification to employees that the company will never ask for passwords. Password policies should insist that employees should: never reuse or recycle passwords; never share passwords, not even with the CEO; never write passwords down; and never store passwords in a digital file. Hackers can guess one trillion passwords per second. Passwords often have quotes from movies, songs, or books. But hackers already have online databases full of these quotes, and lists of dictionary words, encyclopedia entries, and more. For stronger security: use 12-characters, minimum; avoid names, places, dictionary words, or PII; use upper and lower-case letters, numbers, and special characters; and avoid using “leet” or symbols for letters (hackers already know about it). For example, writing the word ‘password’ using the number four instead of the letter ‘A’, or the dollar sign instead of the letter ‘S’. Use random characters. Use a passphrase (12 or more random words). Here's what strong passwords look like. Organizations should never ask customers or employees for their passwords. When employees know that their company would never ask for passwords, they are less likely to fall for impersonation and phishing attacks. Don’t share your password with anyone. Not even your boss or the IT department. IT staff have admin rights. Any work they do can be done with their own logins. Companies must teach employees the risks of password reuse and take steps to stop it. Password reuse means: using the same username and password for all your accounts, using common passwords like ‘12345’ or the word ‘password,’ and using the same password but with a different username. Hackers can easily link previously used passwords to people and they can ‘spray’ common passwords at online accounts. Password expiration is when a password is set to expire after a specific amount of time. In the past, employees typically had to change their passwords every 90 days. But this inspired weak and reused passwords. Longer intervals help employees use less risky behavior. Password expiration does make sense but not once it starts to negatively affect security. Single-factor authentication (or SFA) is when you enter one credential to log in. Username and password is the most common form. Single-factor authentication is not safe from: keystroke loggers – malware that captures everything typed on a device, phishing, or data breach information sold on the dark web. With single-factor authentication, anyone who has your username and password can do whatever they want to with your account or data. Two-factor authentication (or 2FA) is when you enter two credentials to log in. Two-factor authentication is usually hardware-based, with the most common form being a security key that plugs into a USB port. 2FA devices are the best defense you can have against phishing and hijacking and are very easy to set up. Newer versions use NFC so the key only has to be near the device instead of plugged in. Multifactor authentication, or MFA, is quickly becoming the industry standard for effective security. It’s an extra layer of protection that companies and organizations are using to keep cybercriminals out of their systems. When you’re trying to access a resource or device that’s using MFA, you need to provide more than just the correct password to get in. MFA offers the following extra protection over SFA: Risk of a breach occurring is significantly reduced. MFA factors can't be captured by keystroke loggers. You're in full control over which factors you provide (phone, email, text, security questions or some combination of all of them). Significantly reduced risk from phishing. It's important to understand that multi-factor authentication is not 100% fail-proof. As hackers realize that the number of organizations using MFA is steadily on the rise, they continue to look for ways to circumvent it or to exploit the vulnerabilities which inevitably exist in these types of solutions. Identification factors are pieces of information that only you and an authentication service know. They are: something you know, like your password or PIN, answers to security questions, or one-time password (or OTP) code. Something you have: like a phone or email to receive OTP codes, a phone app that can generate OTP codes, or a device plugged into your phone or computer. Something about you: like your fingerprints, retinas, face, or voice. Biometric scans use these to authenticate you online or unlock a door to a secured area. Single sign-on (or SSO) verifies users for connected accounts or apps so they only have to log in once. Businesses use SSO to simplify and speed up access to resources. IT departments set up single sign-on with vendors like Office365 or Salesforce.com so employees are automatically logged in when they sign into their work networks. This lets employees continue working without having to remember multiple passwords. Password managers generate strong, unique passwords for every online account you create and remember each of them for you. They can analyze your stored passwords and warn you if any are too weak or if any have been reused on other sites. They use powerful encryption on all stored passwords to keep them safe. Once set up, you have to remember the one password for the password manager. In this video, you learned that: 2FA is when a physical device must be plugged in before login. MFA is when multiple authentication methods are used to log in. SSO verifies a user across connected accounts. Password managers create strong, unique passwords and remember them for you. Strong passwords are long, random, secret, and never reused.
