Passwords: one of the weakest links in corporate defences

Eight in 10 remote workers (84%) re-use passwords, according to a CyberArk survey.

"Every new corporate application or tool becomes a new identity silo, with unique password management requirements, such as complexity or how often they should be rotated," commented Jeffrey Kok, VP of Solution Engineers, Asia Pacific and Japan, CyberArk, ahead of World Password Day on May 6.

"And because we are pretty bad at using and remembering strong passwords, we often use weak ones, or re-use them."

According to Kok, CyberArk's top tips to reducing password-related risk are:

Mandate the use of a strong password

Strong passwords contain several different types of characters and, consequently, require more effort and time for an attacker to hack. Passwords should contain at least 10 characters and include a combination of character types, such as commas, percent signs and parentheses, as well as uppercase and lowercase letters and numbers.

Enforce the use of a unique password for each service and account

"If employees re-use passwords on multiple sites or accounts, even if the password is complex enough and long, all it will take is for one of their accounts to be compromised to make all of their other accounts vulnerable," Kok said.

Use multifactor authentication

Multiple types of authentication – not just a password – should be required to unlock the account. "The first part of the authentication process requires something the user already knows, like a password. The other part of the authentication process involves something the user doesn’t already know, such as a code sent to the mobile phone by authentication software or created by a designated application on the phone," Kok said.

"This code becomes the other half of a user’s login authentication. Now, even if attackers manage to get a password, they still don’t have access to the account without the other part of the authentication."

Address the risk of local admin accounts on workstations

Weak passwords and end users with local admin rights on their workstations represent a significant security risk for organisations. Many attacks start on endpoints where attackers initially gain access through a phishing attack or when an employee inadvertently downloads and executes a malicious application. In many cases, an attacker’s aim is to compromise the privileged credentials that reside on workstations.

"Privileged credentials – such as admin rights – can allow attackers to move laterally until they can secure credentials to system with sensitive PII (personal identifiable information) or intellectual property. To reduce this risk, organisations should rotate local admin credentials (including the OS build in local account) on a periodic basis as an important security measure. Over time, organisations should consider removing local admin rights from end user workstations altogether to further reduce the risk of attacks from the endpoint," said Kok.