Passwords have been around for many years, and they will continue to be used, because they are a tremendously simple approach to enforce a certain level of security. This approach also works if safety is also guaranteed all around.
Jörg Vollmer, General Manager Field Operations DACH at Qualys
The challenge with passwords is that their management is becoming more and more complex, which is partly due to the sheer number of user accounts. The rules for passwords can make it difficult for people to remember them, so they either use one password for several accounts, or write down their passwords. It also happens that best practices for secure passwords are forgotten. For example, there is the possibility to limit the number of attempts to enter a password so that attackers cannot try to gain access with the help of dictionary attacks or password libraries. This may be obvious for customer-oriented applications, but these rules should also apply to internal applications or cloud services.
In today’s world, passwords alone are no longer enough to keep IT access secure. To further improve security hygiene, there are now tools such as multi-factor authentication (MFA), where users must specify two or more verification factors to gain access to a resource. Companies, regardless of their industry or size, must recognize the value of strong security and correctly carry out the implementation of measures with little effort, such as the implementation of MFA.
What can companies do to improve password hygiene? You should first make sure that users do not use a simple dictionary word as a password and enforce various controls so that they cannot use the same password multiple times. It is important to apply rules for the length of passwords and the variety of characters used, as well as pay attention to poor security practices such as lack of MFA or lack of role-based access control. For example, the BSI provides guidelines for companies and authorities with which they can increase the security of their passwords.