Bad habits die hard, which is why passwords are a migraine for information security professionals and neglected by users. Employees still fall back on predictable, easy to guess passwords that attackers can crack in minutes, if not seconds.

SplashData’s 100 Worst Passwords of 2018 shows that people still rely on the same passwords that have been on the Worst Password lists for years, like “123456,” “11111,” and “password,” but have expanded to include “movie names, sports, car brands, and new last year, “Donald.”

Even more complex eight-character passwords using letters and numbers now take just minutes to crack by attackers using powerful computers and brute force attacks that can run thousands of possibilities per second. That may be why one user on Slashdot, a social news site that bills itself as “News for Nerds,” has already proclaimed, “the eight-character password is dead.”

Password risk mitigation strategies

With more than half of all data breaches resulting from weak or stolen passwords, organizations need to exert more control over passwords, to reduce the risk of an attack and resulting liabilities. We recommend businesses consider the following options:

• Applications that prevent a user from choosing a password that does not meet certain criteria, such as a previously used password. One such example is a check of new passwords against a blacklist of passwords known to have been used in prior compromises.
• Password policies. No one likes them. But for now, everyone needs them to ensure that employees know and execute strong passwords and understand potential sanctions if policies are violated. In the future, passwords may be replaced by security tokens, a physical device to gain access to resources. But for now, they are a security standard.
• Password managers that require just one login credential, or master key, to open a digital vault that stores all other passwords. Password managers also can generate strong, unique passwords each time an employee signs up on a website. This function reduces the risk that employees will use the same login credentials for your network and for multiple other sites.

Many employees’ jobs require managing company login credentials to access vendors, customer portals, banks and industry resources. What happens when one of these employees leaves? If they are not using a company password manager, do you know all their passwords?  How do you know they can’t use those credentials after they leave?

How to choose between password managers

CNET’s 2019 directory of password managers provides a number of options that cost between $12-$40 and are good choices for individuals. For businesses, however, password risk mitigation is a bit more complex.

Business grade password managers offer administrative controls, authentication options and encryption that make it very difficult to crack the master password or stored data. Some have identity management features that protect corporate apps from mobile devices used by employees, customers and vendors. Others allow you to manage different accounts at different locations. A good IT security consultant can provide a full picture of how a company-wide password manager should be designed and implemented.

What do passwords have to do with car repairs?

The much-maligned password is like that knocking sound in your car. You don’t have time to deal with it, the sound won’t go away and eventually the car stops running. A password strategy is as risky to ignore as your business strategy. After all, you won’t need a business strategy if an attacker cracks a password and takes control of your IT systems. Then you will need a disaster recovery plan.