Cybersecurity is on the minds of users, IT managers, and business owners alike. Everyone wants to know the best way to protect their applications, files, and confidential information. The list goes on.
As The KR Group’s CISO, I am asked about best practices for credentials and login security almost daily. Recently, I was asked, “Which applications should I concentrate on for multi-factor authentication?”
I immediately thought of the dentist’s office (as one does), where years ago, I read, “only floss the teeth you want to keep.” In this sage bit of advice, brushing was implicit, but flossing was so equally important to the protection of each tooth that it made it onto a sign in the lobby.
Can you guess where this is headed?
Teeth are applications, brushing is strong passwords, and flossing is multi-factor authentication — and that is poetry. So, you need only floss the apps you wish to guard against the decay of attack. However, you can’t neglect brushing or password hygiene as part of your cybersecurity strategy.
Choosing a Strong Password
Even in the age of trustworthy password managers, there are still occasions when you need to select a password, remember it, and enter it frequently.
There are a lot of behind-the-scenes responsibilities incumbent on the technology teams who manage the storage of your passwords. Still, you, the humble user, are responsible for selecting strong passwords.
For simplicity’s sake, keep in mind that the two most important aspects when choosing a password are length (the longer, the better) and entropy (the more unpredictable, the better).
Length is straightforward to tackle once you realize that with few exceptions, you can usually opt for a passPHRASE over a passWORD. You may also find it helpful to use a movie quote or favorite saying — spaces, punctuation, and all.
With slight modifications and introducing additional character classes (upper/lower case or special), you can address the entropy component of your password.
Assuming the password-storage pros are doing it right, here’s an example of a password that could be cracked by a bad actor probably sometime after our sun burns out. As a bonus, it’s easy to type and sure to impress your IT guy if he sees you keying it in: #Courage is grace und3r pressure&
Except now, you can’t use it because everyone knows it.
To check your password’s strength, you can use this free tool from KnowBe4, a security awareness training organization and KR Group partner.
Multi-factor Authentication Protection
If you only take one thing away from this section, let it be that adding a second authentication factor is essential for every application capable of it.
As it is with everything, multi-factor authentication (MFA) isn’t perfect, and advanced attack techniques can still circumvent it. However, it is an incredibly effective layer that can save you from account compromise, so the more it can be leveraged as a part of your defense-in-depth strategy, the better.
Keep these pointers in mind on your MFA journey:
1. Consider a holistic MFA strategy for your environment.
This means looking at the provider and its reputation, support, and features.
For continuity, you’ll also want to reign in users’ ad-hoc use of MFA with multiple applications, as this causes user experience, IT management, and security to suffer.
2. Recognize that security awareness must be wrapped into the use of MFA in your company culture.
If you choose to allow push-button approval as the second factor, know that real-world testing of MFA generally indicates that upwards of 50% of users will click that “approve” button even when they haven’t attempted a login.
3. Security Assertion Markup Language (SAML) can be a powerful ally in your authentication experience.
It can simplify MFA for your users while improving security. Plus, it usually doesn’t require additional licensing.
Especially in the Software-as-a-Service world, it is often possible to tie a single “master” login (with a strong password and MFA) to a portal that will allow users to access their applications without having to sign in to each of them individually.
Are Strong Passwords and MFA Enough?
If you’re looking for the first steps to improve your IT posture, strengthening your passwords and using MFA are great places to start. Just like if you’re looking to address halitosis, you should start with brushing and flossing.
However, despite your best dental hygiene habits, you should still schedule regular appointments with your dentist to check for issues you haven’t detected.
And the same is true for your IT environment. Even though you have implemented some security measures, you should have regular evaluations to check for new vulnerabilities.
In cybersecurity, we call these security assessments. During this process, your IT consultant goes through numerous controls and checks how well your company is protected against potential threats.
You can find out more about these assessments and how they can benefit your business in these articles: