“Your password must have at least one lowercase letter, an uppercase letter, a number, a symbol…” “Password has been used in the last 60 days. Please choose another password.”

If you’ve ever created an online account, you’ve probably felt annoyed with this error message. When I see these words, especially after the first few tries, I feel enraged. Why can’t it just create a password for me?! Nothing is more frustrating than coming up with unique passwords and managing them. It feels like a full-time job, especially if you’re managing passwords between your work and personal devices.

According to Google/Harris Poll’s 2019 survey The United States of Passwords, 75% of respondents reported frustration when trying to keep track of passwords. It’s not hard to empathize with that feeling. The intricacies of creating and securing passwords is not only hard on users, it’s hard on business. For example, Chick-fil-A recently experienced a credential stuffing attack which gave hackers access to Chick-fil-A One accounts, which were then sold on the black market. There is no question that passwords cause headaches for both individuals and corporations.

The good news is password guidelines are rapidly changing in favor of newer, more sophisticated technology that eliminates common hacking tactics like credential stuffing, phishing, and spoofing. The National Institute of Standards and Technology (NIST) recently updated their Digital Identity Guidelines to inform verifiers that they should no longer require passwords that have a lowercase and uppercase letter, a number, and a symbol. They also suggest that verifiers should not require users to periodically change their passwords.

These new standards eliminate outdated password security protocols that hackers have found ways around in a shift toward reinforcing passwords through multiple different factors. These factors include creating a strong password of 12 characters or more, which follow the guidelines of types of passwords to avoid, enabling a secure form of multi-factor authentication (MFA), and enlisting the use of MFA-protected password management tools.

Unraveling the essence of a good password, where to store it, and how to secure it with MFA by following NIST’s Digital Identity Guide is not a cut-and-dry solution for many businesses or individuals. For one, these documents are long and could take months to sift through and follow, especially if you don’t have a team, or are not solely dedicated to security and compliance. To help alleviate this burden and put you on the right course toward password management success, we’ve compiled commonly asked questions and our recommendations to implement password best practices, either at the business or personal level.

What is a good password?

The simplest answer is 12 or more randomized characters, reinforced with MFA. However, there are certain guidelines to follow that reinforce those characters. Here are a couple tips we recommend when you or your organization are creating or updating passwords.

Use unique passwords

Why? In the case of the mentioned Chick-fil-A credential stuffing attack mentioned earlier, when a user reused a password, hackers were able to log in to Chick-fil-A with the same credentials they stole from a website unrelated to Chick-fil-A. Reusing passwords makes you more vulnerable to this attack, and causes more headaches when a breach does occur.

Relay Hawk recommendation: As an organization, switch to using a password manager, like 1Password, which has a built-in domain breach report. As an end user, use tools like iOS or Chrome password manager to verify which of your passwords have been compromised. Update breached passwords, and never use them again.

Use randomly generated passwords

Using words you can find in the dictionary (e.g. "RelayHawkBlog"), repetitive or sequential characters (e.g., “AAABBBCCC123”), and context-specific words (e.g. your username) are more prone to being guessed by an attacker.

Why? Using basic passwords like “password” or “abcd1234” is the first in a long list of passwords hackers will use in certain brute force attacks. For example, during a password spraying attack, a hacker tries the same password across a list of multiple usernames. Hackers can run scripts for this type of attack at an astonishing rate -- we’re talking about running through thousands of usernames and passwords in seconds! The more basic the password, the more likely your account will be compromised.

Relay Hawk recommendation: Use operating systems or browser password managers, like the two mentioned above, to generate and maintain passwords. Password management apps, like 1Password, also offer to generate a secure password. They also offer a secure password generator on their website. Use the “random password” option to generate the most secure password.

Note: If you have both your browser or OS and your password manager asking to store passwords, you may end up storing passwords in multiple places. To avoid confusion, disable any password managers you do not intend to use. This will ensure your passwords are stored in only one place.

Once you’ve created a secure password, Relay Hawk recommends setting up multi-factor authentication to secure your password.

A deep dive on Multi-factor Authentication (MFA)

Multi-factor authentication requires two or more methods of verification to gain access to an account. There are multiple methods of MFA available, such as SMS, Google Authenticator, Yubikey. Which method is best?

The most secure form of MFA is a physical hardware authentication device, such as a FIDO Universal 2nd Factor (U2F) security key, like Yubikey. Most major websites, such as Google, Amazon, and Apple, support a hardware authentication device for MFA. Relay Hawk recommends this method as it is least likely to be compromised and used effectively.

The good news is statistically, any MFA method is proven to be better than none. However, it is best to keep in mind that other forms of MFA, such as One-Time Passwords (OTP) (e.g. Google Authenticator) and SMS are less secure due to potential spoofing and phishing attacks. As of 2019, Google has witnessed a rise in phishing attacks targeting 2FA. Relay Hawk recommends only using these methods if the account you’re trying to secure does not meet the requirements or does not permit the use of a FIDO U2F device.

Relay Hawk’s ranking of MFA security from most secure to least secure:

• FIDO Universal 2nd Factor (U2F)
• One-Time Passwords (OTP)
• Short Message Service (SMS)

What is a password manager?

Password managers are a secure way to create, manage, and store passwords. Most password managers provide some form of multi-factor authentication to secure your account. However, there are some things to be mindful of.

A recent attack on LastPass, a well-known password manager that was hacked mid-2022, has caused a lot of concern around the efficacy and security of password managers. This raises the question: should you still consider using a password manager like LastPass? Let’s clarify some of the concerns with LastPass as it’s important to understand what happened and why password managers are still industry standard.

A small rant on the LastPass hack

LastPass was the victim of a sophisticated attack. The hackers targeted a LastPass employee’s home network before pivoting into the LastPass infrastructure. This sort of attack could happen to anyone, but we do expect better from security businesses. There were a few changes that LastPass could have made to better secure the password databases. However, since the attack, they have been transparent about the attack, they have made changes to their LastPass configurations, and continue to improve their operational security.

If you are considering switching your business away from LastPass to another tool such as 1Password, you may want to weigh the downsides, such as the time to implement a new tool and the learning curve for your employees.

Despite this breach, Relay Hawk recommends using a third-party password manager. Although breaches can and do happen, password manager breaches are way less common than individual company breaches.

1Password is Relay Hawk’s number one recommended password manager, thanks to its continuous dedication to security, and ease of use amongst multiple users. Even though LastPass was hacked recently, it is still a good second option. Bitwarden is also a solid choice if you are looking for an open-source solution.

If you’re an end user managing your personal passwords, an operating system or browser password manager is highly recommended as it’s more than likely already built into your existing digital ecosystem and free of charge.

What are the advantages for a business using a password manager?

1. Password managers can summarize how secure passwords are across your organization.
2. You can see the health of a single user’s passwords, which can help you gauge your security and compliance posture.
3. If you need to share passwords, you can share passwords securely with services like 1Password. Although this is not recommended, sometimes it is necessary and the most secure way to transfer this type of information.
4. Some password managers such as 1Password include a personal license to all users for no additional cost. This means your employees can use the same tool for personal and business use, which reduces cognitive load and reinforces good security posture.

It is important to note that password managers can compete with OS and browser password managers. You can manage this by disabling OS and browser password managers with a Mobile Device Management (MDM) solution to reduce user confusion and IT headaches.

Next Steps

In this post, we reviewed Relay Hawk's recommendations for creating and managing passwords. Additional security controls such as MFA can reduce the likelihood that your user accounts will fall victim to a data breach. Now it is time for you to put our recommendations to use.

1. Select a password manager and set it up on your computer.
2. Use your password manager to log in to one website.
3. Enable multi-factor authentication on that website.

Now you’re on a roll. Continue to use this password manager to log in to websites and enable MFA on all websites. Utilizing this blog post’s recommendations for creating passwords, managing your credentials, and enabling MFA will significantly reduce the likelihood of an attacker compromising one of your accounts.

If you want to decrease the likelihood of a successful cybersecurity attack on your business, you can request more information.