There are two kinds of companies in the world: those that have been breached by criminals, and those that have been breached and don’t know it yet. Criminals are relentless.

Today’s cyberattacks have evolved into high-level espionage perpetrated by robust criminal organizations or nation-states. In the era of software as a service (SaaS), enterprise data is more likely to be stored on the cloud rather than on prem. Using sophisticated cloud scanning software, criminals can breach an enterprise system within seconds of coming online. And the cost of a data breach can be enormous.

As the crucial first line of defense against hackers, passwords have been used since the dawn of the Internet, and I believe they will continue to be used long after I retire.

Yet, the majority of company-related passwords fail to meet minimum security requirements — and the number of companies lacking multi-factor authentication tools or enterprise controls is staggering.

As a specialist in password cracking, I help lead IBM’s X-Force Red, an autonomous team of veteran hackers within IBM Security that helps businesses discover and identify critical vulnerabilities to cyberattacks. Our mission is to “hack anything to secure everything.”

One thing I know for sure: your enterprise system will be hacked. Password breaches are on the rise, and the vast majority of enterprise breaches can be attributed to poor password security. So, how can your business protect itself?

Strong password hygiene paired with an enterprise password manager, backed by company policies and multi-factor authentication, will reduce your risk. And in the age of cloud, zero trust security must be wrapped around every connection, every device, every user, every time.

To Improve Password Security, Reduce User Friction

Why are weak passwords so commonplace? With online accounts multiplying, password fatigue is on the rise. To make life easier, many people repeat the same, easy-to-remember password across multiple accounts. These weak passwords can be easily cracked, creating security vulnerabilities that allow cybercriminals to access company, employee and client data.

Whether passwords are stolen through phishing, malware or brute force attacks, they give criminals access to valuable company and/or personal information. This stolen information can be sold on darkweb marketplaces where it can be used to perpetrate multiple, ongoing attacks associated with the original breach.

A password manager can prevent issues before they arise by automating password resets and preventing unnecessary active directory locks — reducing user friction and lost productivity. When integrated across systems and even accessible outside of employees’ business assets, it can drive real business value. Yet only a fraction of companies purchase an enterprise password manager, citing cost as a factor.

I believe the investment cost of a password manager must be weighed against the losses associated with a breach and associated user productivity. For example, if users are locked out of their computers — and don’t have a company phone to perform two-factor authentication (2FA) — there is an immediate productivity loss while they call the help desk and wait to be unlocked.

Start with Good Password Hygiene

A good password provides a simple way to protect against the vast majority of cyberthreats. Let’s look at password habits that can minimize the impact of password weakness and help improve your organization’s security.

  • Go long! Use a 12-16 character string of numbers, special characters, upper and lowercase letters, symbols, and non-dictionary words. It would take several years for a brute force attack to crack such a password.
  • A no-repeat policy is best. 52 percent of all internet users admit they use the same password across many accounts. One breach can compromise your enterprise security.
  • Change passwords often, especially after a successful attack. And don’t share them with anyone or write them down on sticky notes.
  • Layer protection with two-factor (2FA) or multi-factor (MFA) authentication, ideally paired with a dedicated Authenticator app that can generate a unique and frequently changing code. Biometric authentication – fingerprints, retinal scans, voice signatures –can add security as part of MFA, but it isn’t foolproof. A secure password will always be an important component of biometric authentication.

9 Reasons to Use an Enterprise Password Manager

Frequent cycling of authentication secrets is one of the best defenses against compromise. A reputable password manager such as 1Password for enterprise generates unique credentials for each account and stores them securely in a vault where individuals, employees, or teams can access them using a master password. Here are nine reasons a password manager makes good business sense.

  1. Ease password overload: Cloud-based password managers provide the convenience of accessing the password across any device.
  2. No more weak passwords: Long, intricate passwords that would take hackers years to crack are effortlessly generated by password managers.
  3. Monitor password changes: A password manager helps support company security policies by monitoring how often passwords are changed, and that they meet company policies.
  4. Harder to hack: Password managers make it harder for criminals to steal identities as auto-generated passwords are not tied to the user’s identity and do not include personal details.
  5. Improve operational efficiency: Your IT help desk spends hours resolving employee password reset requests, a waste of business resources. A password manager eliminates these issues and improves IT and end user productivity.
  6. Protect against phishing and identity theft: A password manager will not autofill a phishing form if a user clicks on one by mistake. Not only will it recognize the false domain name, but it could also alert the security team of the event.
  7. Contain data breaches: By generating a unique password for each application, the password manager eliminates the data breach domino effect when a single account is compromised.
  8. Built-in two-factor authentication: Most business password managers enforce 2FA or MFA for users before they are allowed to access your company portal or applications.
  9. Better security than browser password management: Users often allow passwords to be saved in the browser memory to be auto-filled when logging in. This is not safe for your business. If the device is compromised, passwords can be stolen. With a password manager, the user must have a master password to unlock the vault.

Keep Your Secrets Safe From Criminals

The need for shared secrets will never go away – and 100 percent protection does not exist. Bottom line? Despite the security challenges, passwords are here to stay. What matters is how user secrets are being generated, managed and protected.

Yes, strides are being made toward password-free authentication. For example, Fast Identity Online 2 (FIDO2) promises to deliver a frictionless, secure online authentication mechanism. However, implementation will take time and we are not likely to see 100% adoption. What can you do in the meantime?

The good news: there are steps organizations can take to prevent and mitigate password breaches. Enterprises that invest in frequent penetration testing can quickly uncover and strengthen weak passwords.

In hacker circles, where I am better known by my online handle, EvilMog, I am a member of Team Hashcat, the password Cracking Team with over a decade of password-cracking competition wins. I am also the Chief Architect of X-Force Red, an elite IBM Security team that can be engaged to “break into” organizations and uncover risky vulnerabilities.

The truth is, people will continue to forget their passwords, use insecure credentials and repeat them across accounts. But you don’t have to let poor password hygiene increase your security risk.

A zero trust approach, backed by strong password policies, secure password management tools, employee education on best practices, and regular penetration testing can protect your enterprise networks from credentials-stealing cybercriminals.

Learn More

Read the Cost of a Data Breach 2022 Report.

More from Identity & Access

Making the Leap: The Risks and Benefits of Passwordless Authentication

The password isn't going anywhere. Passwordless authentication is gaining momentum, though. It appears to be winning the battle of how companies are choosing to log in. Like it or not, the security industry must contend with both in the future.  But for some businesses and agencies, going passwordless is the clear strategy. Microsoft, for instance, has recently stopped forcing users to use a password to access their account, which allows access to a wide range of Microsoft business and personal…

Old Habits Die Hard: New Report Finds Businesses Still Introducing Security Risk into Cloud Environments

While cloud computing and its many forms (private, public, hybrid cloud or multi-cloud environments) have become ubiquitous with innovation and growth over the past decade, cybercriminals have closely watched the migration and introduced innovations of their own to exploit the platforms. Most of these exploits are based on poor configurations and human error. New IBM Security X-Force data reveals that many cloud-adopting businesses are falling behind on basic security best practices, introducing more risk to their organizations. Shedding light on…

Why Your Success Depends on Your IAM Capability

It’s truly universal: if you require your workforce, customers, patients, citizens, constituents, students, teachers… anyone, to register before digitally accessing information or buying goods or services, you are enabling that interaction with identity and access management (IAM). Many IAM vendors talk about how IAM solutions can be an enabler for productivity, about the return on investment (ROI) that can be achieved after successfully rolling out an identity strategy. They all talk about reduction in friction, improving users' perception of the…

How to Compromise a Modern-Day Network

An insidious issue has been slowly growing under the noses of IT admins and security professionals for the past twenty years. As companies evolved to meet the technological demands of the early 2000s, they became increasingly dependent on vulnerable technology deployed within their internal network stack. While security evolved to patch known vulnerabilities, many companies have been unable to implement released patches due to a dependence on legacy technology. In just 2022 alone, X-Force Red found that 90% of all…