![\"EB-GD-to-MFA\"](\"/b319bf6ed09ba90828b27b6cc2c2eb75/EB-GD-to-MFA.webp\")
In today's digital age, where almost everything is connected to the internet, cybersecurity has become a growing concern for individuals and organizations alike.
\nWhile most businesses struggle with securing sensitive business information, many deal with security concerns about customer privacy.
\nOne of the most significant security concerns is using a weak or the same password across multiple accounts, making it easy for hackers to gain unauthorized access to sensitive information.
\nTo address this issue, password vaults have become a popular solution for securely storing passwords. Password vaults are robust security software that helps store and manage passwords most securely by leveraging encryption techniques.
\nLet’s discuss password vaults, how they work, their pros and cons, and how to implement them.
\nA password vault, a password manager, or enterprise password vault, is a software application that stores and manages passwords in an encrypted database.
\nThe user creates a master password, which is used to unlock the vault and access all the stored passwords. The password vault holds passwords in an encrypted format, ensuring only authorized users can access them.
\nUsing a password vault is an excellent idea because it helps users create and manage unique, strong passwords for each account.
\nMoreover, password vaults can also generate complex passwords that are difficult to crack. Since the user only has to remember one master password, it eliminates the need to remember multiple passwords.
\nThis helps them to use complex passwords for different accounts without the need to remember every password individually.
\nPassword vaults come in various types, each catering to different needs and preferences. Here are some common types:
\nPassword vaults are generally secure because they use robust encryption algorithms to protect stored passwords. However, no system is entirely immune to hacking.
\nA determined hacker could access a password vault by exploiting a system vulnerability or obtaining the master password.
\nHence, to minimize the risk of a breach, users should choose a reputable password vault provider and follow best practices for creating a strong master password.
\nDespite their advantages, several misconceptions surround password vaults. Let's debunk some of these misconceptions:
\nA password vault encrypts and stores the user's passwords in a database. The encryption process makes it easier for anyone to access the passwords with the correct decryption key.
\nThe user's master password decrypts the database and accesses the stored passwords. Some password vaults also offer features such as two-factor authentication, which adds an additional layer of security.
\nA password vault encrypts and stores the user's passwords in a database. The encryption process makes it easier for anyone to access the passwords with the correct decryption key.
\nThe user's master password decrypts the database and accesses the stored passwords. Some password vaults also offer features such as two-factor authentication, which adds an additional layer of security.
\nThere are several pros and cons to using a password vault:
\nPros:
\nCons:
\n
Implementing a password vault involves the following steps:
\nThere are several password vault providers to choose from, both free and paid. Research and choose one that best suits your needs.
\nOnce you've chosen a provider, install the password vault application on your device. Most of them can be installed on your web browser, and you can quickly access your accounts with the auto-fill credentials option.
\nThe master password is used to access the stored passwords, so it's essential to create a solid and unique password that's difficult to guess.
\nAdd all the passwords you want to store in the password vault. Using the password generator feature is recommended to create strong, unique passwords.
\nOnce all the passwords are added, you can use the password vault to access them.
\nPassword vaults have become a popular solution for securely storing passwords in today's digital age. They provide a high level of security for passwords, encourage good password habits, and save time for users.
\nWhile they are not immune to hacking, users can minimize the risk of a breach by choosing a reputable password vault provider, creating a strong master password, and following best practices.
\nImplementing a password vault involves choosing a provider, installing the application, creating a master password, adding passwords, and using the password vault to access them. Overall, using a password vault is wise for anyone looking to protect their sensitive information and enhance their online security.
\n1. Is it safe to use a password vault?
\nYes. Password vaults use robust encryption to store passwords, securely enhancing digital identity management.
\n2. What is the difference between a password manager and a vault?
\nA password manager stores and manages passwords, while a vault goes further by securely encrypting and protecting those passwords.
\n3. How do you use a password vault?
\nSimply create a master password, add your passwords to the vault, and use the master password to access them securely.
\n4. What is a vault used for?
\nA vault stores and manages passwords, providing convenience and enhanced security for digital identity management.
\n![\"book-a-free-demo-loginradius\"](\"/8fce571f703a5970dbb1359a2fe0e51a/book-a-demo-loginradius.webp\")
In the coming years, cybercrime will continue to grow. Between 2023 and 2028, the global 'Estimated Cost of Cybercrime' indicator in the cybersecurity market was anticipated to rise consistently, reaching a total of 5.7 trillion U.S. dollars, marking a significant increase of 69.94 percent.
\nBusinesses of all sizes will continue facing new threats on a daily basis—phishing scams and malware being the most common ones. Both can be devastating to unprotected companies. To help you avoid becoming another cybercrime statistic, we’ve created this infographic with our top cybersecurity best practices.
\nIn 2020, when a large chunk of the world population shifted to work from home models, cybercriminals also transitioned to remote operations. In fact, a report also suggested that remote working accounted for 20% of cybersecurity incidents that occurred during the pandemic.
\n2021 and 2022 were no different. Remember when Taiwanese computer giant Acer was hit by a REvil ransomware attack in March this year? The hackers demanded a whopping $50 million. They shared images of stolen files as proof of breaching Acer’s security and the consequent data leak.
\nNot only was the same gang responsible for the 2020 ransomware strike on Travelex, they reportedly extorted more than $100 million in one year from large businesses.
\nThese are wake-up calls, and it is high time organizations must understand cyber threats and do everything possible to prevent data breaches.
\nHere are some cybersecurity best practices this infographic will cover.
\nSecurity questions prevent imposters from infiltrating the verification process. So what does a good security question look like?
\nThe best ones will make it easy for legitimate users to authenticate themselves. They should be:
\nMulti-factor authentication is a powerful feature to prevent unauthorized users from accessing sensitive data.
\nFor the most secure user sign-ins, you should use a combination of elements like biometrics, SMS/text messages, emails, and security questions. Use extra layers of protection, like text verification, email verification, or time-based security codes.
\nFor example, you can allow an employee to log in on a managed device from your corporate network. But if a user is logging in from an unknown network on an unmanaged device, ask them to crack an additional layer of security.
\nTo protect your organization's network, enforce a strong password security policy with the following practices:
\nConduct cybersecurity awareness workshops to train your employees at regular intervals. It will help reduce cyberattacks caused by human error and employee negligence to a great extent.
\nA data backup solution is one of the best measures to keep personal and business data secure from a ransomware attack. Ransomware is malicious software that is accidentally deployed by an employee by clicking on a malicious link. And deployed, all data in the site is taken hostage.
\nYou can ensure the protection of your data by implementing continuous backups. You can use the cloud to create a copy of your data on a server and hosts it in a remote location. In case, your system is hacked, you can restore back your data.
\nAside from login security tips, this infographic will also highlight:
\nTo learn more about the cybersecurity best practices for your business in 2023 and beyond, check out the infographic created by LoginRadius.
\n![\"cybersecurity-infographic-2023\"](\"/a830327430cb6c3103cd183d50cbfde4/cybersecurity-infographic2023.webp\")
Get the best cybersecurity solutions for your enterprise with LoginRadius.
\n
Re-authentication is the process of ensuring the constant presence that has to be authenticated when there is a long period of usage. The purpose of re-authentication is to ensure that the person who is currently using the resources is the same person who had initially signed in to use it. This will ensure that there is no breach of identification or exploitation of data.
\nSo, what are the benefits of imposing a re-authentication time limit? Let’s find out.
\nThe re-authentication process offers enterprises or service providers complete control over who has access to a particular system or services. Some systems use control panels to ensure that all the data regarding the user is recorded and has easy access. This also plays an important role in solving any future issue regarding identity breaches.
\nWhen a user requires to generate and remember more than one password, password fatigue may arise. While there are solutions like password managers that help solve the issue of remembering multiple passwords, they might not always be a safe choice. Many people still find it difficult to use and maintain a separate list of passwords on the side. There might be chances in which an intruder can gain access to such sensitive data and misuse it.
\nThus, a re-authentication is considered ideal for the elimination of password fatigue. The system will undertake the identity test without the need to type the password and ensure a safe environment for the users.
\n![\"GD-salt-hashing\"](\"/0ae1ae918cb69edc2a85ecc7574527e2/GD-salt-hashing.webp\")
There are many instances where users forget their passwords and are locked out of their system due to multiple wrong attempts. This issue is often resolved with the aid of the IT call center. However, the process of resetting the password in high-security systems is very time-consuming and costly.
\nThe average cost for the IT department to reset a password is $70, and around 50% of the IT department focuses on resetting the password.
\nRe-authentication ensures that there is minimal effort to be put on behalf of the IT department. It is both a cost-effective and time-saving mode of usage.
\nRe-authentication helps implement better password policies in an enterprise. This can be regarding how an employee uses the password and manages it. For instance, who can change the password, what can be the length of the password, and other similar password settings? Some of the password policies are:
\nHaving such a tight password policy will ensure that the team has only secure and quality passwords being used in their systems.
\nApart from forgetting passwords or misplacing them, the other major issue of saving passwords on-premises is cyber theft. There is an increasing rate of hacking in many highly secure office systems, mainly due to the easy storage of passwords.
\nOn average, there are about 1,473 reports of data breaches being reported every year. It has been predicted that, with the growth of technology, the risk of hacking will only increase further in the following years.
\nRe-authentication ensures that hackers don’t get easy access to a system’s content and leverage no other loopholes to exploit sensitive consumer credentials. Apart from internal combustion, re-authentication can also save you from external intrusion.
\nAll-in-all, you can save a lot of time and password exploitation with re-authentication. Speaking of which, the LoginRadius Re-authentication feature can help businesses securely re-authenticate consumers without taking a toll on user experience. Contact us today to find out more.
\n
The world is facing an uphill battle amid the global pandemic that has forced small and medium businesses to adopt diverse digital sales channels.
\nSince these businesses collect consumer data, which is swiftly accumulating, there’s a significant concern regarding the overall security.
\nTalking about the stats, WHO reported 450 active official email addresses and passwords were leaked online along with thousands of other credentials – all linked with people working to lessen the COVID-19 impact.
\nThe more alarming thing is the fact that cybercriminals are continuously exploiting consumer data and have accelerated outbreaks by taking advantage of the chaotic time and the weaker first line of defense as businesses move to remote working ecosystems.
\nSo does it mean that businesses collecting consumer identities are now at more significant risk, especially those who have recently stepped into the digital commerce space?
\nYes, undoubtedly! Enterprises that are collecting, managing, and storing consumer identities in any form need to put their best foot forward in protecting sensitive consumer information, which, if not done at the earliest, may lead to undesirable consequences.
\nWhether it’s the media industry or the education industry, every industry is at a considerable risk of a security breach.
\nIn this post, we’ve outlined the aspects that can mitigate the risk during the uncertain times of COVID-19 and can help secure your business in a post-pandemic world.
\nSince remote working accounted for 20% of cybersecurity incidents during the pandemic, securing the newly-adopted remote working ecosystem should be the #1 priority of businesses.
\nTo protect your organization's network, enforce a firm password security policy with the following practices:
\nCybercriminals are already bypassing weak lines of defense, which means a stringent action plan must be in place to
\nWhen it comes to preventing unauthorized access to resources and sensitive information within a network, MFA can be the game-changer.
\nFor the most secure user sign-ins, you should combine elements like biometrics, SMS/text messages, emails, and security questions. Use extra layers of protection, like text verification, email verification, or time-based security codes.
\nLoginRadius’ CIAM (consumer identity and access management) solution provides multiple layers of security to ensure consumer data and enterprise information remain highly secure.
\n
Most cyber criminals try to sneak into a network by targeting employees through several attacks, including phishing, social engineering, and malware attacks.
\nSuppose the employees of an organization aren’t aware of the latest attacks and how they can enhance their security while working. In that case, it may lead to a security breach causing millions of dollars of losses to the organization.
\nBusinesses must minimize human error as most of the attacks are successful just because of human error.
\nFrequent cyber awareness training sessions must be organized within the enterprise to ensure that employees are aware of phishing emails and social engineering attacks and can handle these issues at their end.
\nRisk-based authentication is perhaps the best weapon against unauthorized access and to enhance network security.
\nRBA is a mechanism that automatically adds another stringent layer of authentication whenever the system detects any unusual login attempt or an attempt that seems fishy.
\nFor instance, if a user tries to log in from his/her town and in a few minutes, a similar login request is made from another country (even if the login credentials are the same), the user would need to prove identity through another authentication process. An alert regarding the same would also be sent to the admin.
\nTo ensure data security on mobile devices and build trustworthiness, encryption must be in place. In this process, data is encoded to be inaccessible to unauthorized users and helps to protect sensitive data and private information.
\nEncryption can also improve the security of communication between servers and client apps.
\nAlthough encryption is basic, it's an essential aspect of data security. Organizations must do all that they can to protect their customer's information online as well as their own. Hence, it's becoming more and more common for technology encryption to be activated on apps and websites.
\nWith the rising number of identity thefts and security breaches amid the global pandemic, enterprises that haven’t yet deployed a consumer identity and access management solution should immediately put their best foot forward to reinforce their security mechanism.
\nLoginRadius can be the most acceptable alternative for both the enterprises and startups that are collecting customer data and need to ensure a secure ecosystem without hampering the overall user experience.
\n
While cyber breaches generally make for breaking news in the digital world, sometimes the attack tactics themselves claim much media attention for their uniqueness. From ransomware to phishing attacks, we have heard them all.
\nBut the one hacking tactic that is generating a lot of attention is password spraying, an attack in which hackers literally \"spray\" a number of passwords at many usernames to gain access to accounts.
\nA 2020 Data Breach Investigations Report revealed that over 80 percent of hacking-related data breaches involve stolen or lost credentials and employ brute force attacks, which makes password spraying a legitimate security concern.
\nWhile such attacks cannot be prevented, they can be detected and even stopped mid-attack. In this article, we detail what is password spraying, how to not be vulnerable to password spraying, and what to do if you suspect that your organization has been affected by a password spraying attack.
\nWe've also listed how LoginRadius can help mitigate losses from password spraying using our robust CIAM platform.
\nPassword spraying is identified as a high-volume attack tactic in which hackers test multiple user accounts using many common passwords to gain access. Trying a single password against several user accounts before attempting a different password on the same account allows hackers to circumvent the usual account lockout protocols, enabling them to keep trying more and more passwords.
\nHackers can go after specific users and cycles using as many passwords as possible from either a dictionary or an edited list of common passwords. Password spraying is not a targeted attack, it is just one malicious actor acquiring a list of email accounts or gaining access to an active directory and attempting to sign in to all the accounts using a list of the most likely, popular, or common passwords until they get a hit.
\nThe key takeaway from password spraying is that user accounts with old or common passwords form the weak link hackers can exploit to gain access to the network. Unfortunately, password spraying attacks are frequently successful because so many account users fail to follow the best password protection practices or choose convenience over security.
\nHere’s a password spraying example: Let's say an attacker wants to gain access to a company's email system. They have a list of email addresses for employees at the company but don't know their passwords. Instead of attempting to guess each employee's individual password, the attacker uses a common password (such as \"password123\") and tries it on each email account in the list. Then the attacker uses an automated tool to repeatedly enter the common password for each email address until they find one that works. This way, they can gain access to multiple email accounts with minimal effort. This is a password spraying example, which is often used in targeted attacks against organizations.
\nThe most common passwords of compromised accounts in 2019 included obvious and simple number combinations, first names, and ironically, the word \"password\" itself. Any hacker armed with a large bank of common passwords can ably hack into accounts and cause devastating data breaches.
\nIf that isn't scary enough by itself, today's tech-savvy hackers have adopted more precise approaches, focusing on single sign-on (SSO) authentication and guessing credentials to gain access to multiple applications and systems.
\nCloud-based applications are also very susceptible to password spraying, as are any applications using federated authentication. This particular approach can enable bad actors to move laterally, taking advantage of internal network vulnerabilities to access sensitive data and critical applications.
\nSome of the common TTP (tactics, techniques, and procedures) employed in password spraying include the following:
\nNow that we know what password spraying is, we move on to the most crucial topic: how to avoid becoming a victim.
\nHere we list out a few tips that can help safeguard your company against password spray password list attacks:
\nOne of the best ways to prevent any kind of hacking attempt is to enable multi-factor authentication across an organization. That way, users will have to provide two or more verification factors to sign in or gain access to applications and accounts, thereby reducing the risk of password spraying.
\nA strong password is the best protection against any attack. Conduct awareness programs for employees on the risks of hacking and data loss and enforce strong passwords beyond first names, obvious passwords, and easy number sequences.
\nConduct regular reviews of passport management programs and software in organizations. Invest in password management software to effectively manage user accounts and add an extra layer of security.
\nProvide security awareness training for your employees to bring them up to speed on the latest threats and the importance of protecting themselves from malicious attacks. Employ and promote best practices, so the workforce knows how to protect their personal information and company data from hackers.
\nPassword reset requests and user lockouts are common and frequent occurrences among organizations. Ensure that your service desk has detailed procedures in place to handle password resets and lockouts effectively.
\nWhile password spraying involves testing multiple passwords against a user account, credential stuffing is a type of brute force attack that depends on automated tools to test massive volumes of stolen passwords and usernames across multiple sites till an account gives in. Both methods of cyberattacks are used to steal user credentials and facilitate account takeovers.
\nAs we mentioned earlier, password spraying attacks cannot be prevented but definitely detected and stopped before further damage can be done. If you suspect that your organization has been affected by a password spraying attack, here's what you can do for password spraying detection and prevention:
\nLoginRadius introduces seamless registration and authentication for your valued users with passwordless login. LoginRadius Identity Platform is a unique CIAM platform that is fully customizable to fit your company's needs.
\n![\"passwordless-login\"](\"/3b805aa6360a4f8988029e88494d1c9d/passwordless-login.webp\")
The Consumer Identity and Access Management (CIAM) platform has also proved valuable to the retail and e-commerce industry, offering seamless and scalable identity management solutions that identify and protect consumer data.
\nLoginRadius offers the following security benefits for enterprises.
\n1. Password security: The platform is equipped with features like setting password validation (minimum/maximum length, at least one special character, alphanumeric, etc.), enforcing password lifetime, password history, and password visibility.
\n2. Security against brute force attack: A Brute Force Attack is a common practice of hackers trying various passwords until they find the right password. When it happens, you have the option to suspend your consumer's account for a set period of time, prompt the captcha option, ask security questions, or block the account entirely.
\n3. Risk-based authentication (RBA): RBA is an authentication system in which a new layer of protection is activated if there is a minor change in consumer conduct, such as a changed IP address, suspected search history, or some other act that seems suspicious and dangerous. LoginRadius is the ideal RBA solution for enterprises of all sizes offering authentication protocols like biometrics, push notifications, OTP, and tokens.
\n4. Multi-factor Authentication (MFA): MFA requires consumers to pass through multiple layers of authentication during login. So, even if an attacker successfully guesses a user's password, they would still need access to the second factor of authentication, such as a security token or biometric verification, to gain access to the user's account. This makes it much more difficult for an attacker to gain unauthorized access, even if they have obtained a valid password through password spraying.
\nAs technology advances, so must we. There's no longer any benefit to sticking to traditional methods, and as far as identity management is concerned. Going passwordless just might be what your company needs to protect itself from not just password spraying, but from a host of other equally malicious cyber-attacks.
\n1: How is a password spraying attack conducted?
\nPassword spraying attacks involve using a common password to attempt access to multiple accounts.
\n2: Why is password spraying considered a brute force attack?
\nPassword spraying is considered a brute force attack because it uses a trial-and-error method to guess passwords.
\n3: What systems do password spraying target?
\nPassword spraying attacks typically target systems that allow remote access, such as email services and VPNs.
\n4: What is an IMAP-based password spraying attack?
\nAn IMAP-based password spraying attack involves targeting email accounts using the IMAP protocol.
\n5: How can I detect password spraying attacks?
\nPassword spraying attacks can be detected by monitoring login attempts and looking for patterns of failed login attempts from a single IP address.
\n6: Is it possible to prevent a password spraying attack?
\nPreventing password spraying attacks can be done by implementing multi-factor authentication, strong password policies, and monitoring for suspicious activity on the network.
\n
A password policy is a set of rules that businesses design to enhance their applications and data security. It typically includes encouraging or requiring users to create strong, and safer passwords to maintain a baseline shield against hackers.
\nA strong password policy outlines how passwords should be created, stored and how often they should be updated. Many default password policies, for instance, require a minimum of eight characters in length and some combination of special characters.
\nLoginRadius Password Policy offers the first line of defense in protecting business and consumer data. From setting complexity requirements to preventing users from choosing previously used passwords, the recently launched feature provides a plethora of robust password management opportunities.
\nUsing the Password Policy feature by LoginRadius, businesses can collectively make their application and consumer accounts more secure by combating password-related attacks and frauds. Some of the major benefits include:
\n![\"password-policy-datasheet\"](\"/df9bd40a5086f3551409c903566f3c1d/password-policy-datasheet.webp\")
Password Hashing: One-way hashing ensures maximum security and compliance by restricting anyone who has access to data from viewing the password. Moreover, the stored information can only be matched and cannot be decrypted.
\nLoginRadius supports the following one-way hashing algorithms:
\nSHA1PasswordPBKDF2
\nBusinesses can update the applied password hashing algorithm anytime without requiring a password reset. Similarly, LoginRadius also supports migration from weak to the above mentioned strong hashing algorithms.
\nThe Password Policy feature also offers the following consumer-centric features:
\nWe can’t emphasize enough the importance of using a strong password. Implementing our comprehensive Password Policy can secure both your organization's and consumers' assets. With LoginRadius, you will always be a step ahead and mitigate the risks associated with passwords.
\n
No conversation on digital security is complete without a well-rounded discussion on how to choose a strong password.
\nPasswords are the digital keys to our daily lives. They are the gateway to our professional services, our network of friends, and all our financial applications.
\nNo wonder we want to keep our passwords private and secure!
\nIf someone gains access to your email ID, they can easily opt for the \"forgot your password?\" link on (for example, an online shopping or banking site) you use.
\nAlso, if a cybercriminal successfully hacks into your social media account, they can post fraudulent messages asking for money or sending out links to scammer websites.
\nSo, what's the solution? A good password.
\nBut before finding how to choose a strong password in 2021, let's first look at the most common methods of how passwords are being hacked today.
\nHackers utilize numerous techniques to crack your passwords. One technique is to gain access by guessing the password directly.
\nThey could do it by closely following your social media presence, security questions, and similar details. This is why industry experts do not favor the use of personal details on passwords.
\nOther tactics that hackers use include:
\nPhishing is a social engineering attack that occurs when the hacker dupes a victim into opening an email using fraudulent ads or scareware tactics.
\nUnfortunately, such attacks are no longer just an email problem. It has somewhat expanded to instant/ text messages, social networks, videoconferencing, and gaming applications.
\nAs phishing threats grew to over 50,000 a day around December 2020, SlashNext Threat Labs reported a 30% increase throughout 2019.
\nBoth organizations and individuals should know how to choose a strong password and take a zero-trust approach beyond domain credibility.
\nA dictionary attack is a method of attacking the victim's account by entering every word in a dictionary as a password. They usually run through a list of common words and phrases or easy to guess passwords.
\nUsers frequently reuse their passwords or do not change them even after a breaching attempt. That makes this form of attack easy to execute.
\nIn fact, the 2019 Verizon Data Breach Investigations Report (DBIR) reveals that compromised and reused passwords are involved in 80 percent of hacking-related breaches.
\nSimilar to a dictionary attack, brute force uses trial-and-error to guess the victim's login credentials, find a hidden web page, or access network resources.
\nLater, those tainted accounts are used to send phishing emails, sell credentials to third parties, or spread fake content.
\nVerizon's Data Breach Investigations Report 2020 reveals that around 20% of breaches happening within SMBs involve brute force. The number is approximately 10% for large enterprises.
\nThe trend essentially remained unchanged in 2018 and 2019, but the coronavirus pandemic may have impacted the number last year.
\nKeystroke logging or keyboard capturing is the method of tracking and recording the keystrokes of the victim, thereby capturing any information typed during the session.
\nThe hacker uses tools to record the data captured by each keystroke, which are retrieved later on. Moreso, a majority of these tools can record calls, GPS data, copy-cut-paste clipboard, and microphone or camera footage. The recorded data are later used for phishing attacks, stalking, and identity theft.
\nIn this attack, the hacker positions themselves in the middle of a conversation between a user and an application to eavesdrop or impersonate a website or application.
\nIn return, the hacker steals the victim's login credentials, account numbers, social security numbers, etc.
\nSaaS businesses, e-commerce sites, and users of financial services majorly fall victim to man-in-the-middle attacks.
\n![\"do's-and-don't-to-choose-a-strong-password\"](\"/4a2acc02f071d012bde568e04c19d226/do's-and-don't-to-choose-a-strong-password.webp\")
What does a secure password look like? It is usually the one that cannot be guessed easily or cracked using software tools.
\nNot that it should only be unique and complex, here is a collection of the do's and don't on how to choose a strong password to avoid being a victim of the attacks mentioned above.
\nUse two-factor authentication (2FA): 2FA adds an additional layer of security to your existing account. Even if the hacker is able to crack your password, they will still have an extra layer to authenticate.
\nThe following are a few types of layers that businesses choose to provide:
\nFollow standard password rules: There are a few basic rules on how to choose a strong password that you should closely follow.
\nChoose sufficiently random combinations of words: Yes, it is possible to use an easy-to-remember password and make it secure at the same time. The following are a few ways to do that:
\nPick something that does not make sense: How to choose a strong password? Go for something that has no meaning. For example, it could be:
\nChange your passwords regularly: Also, do not reuse the same password for a long time. The more sensitive your data is, the more frequently you should change your password.
\n![\"EB-buyers-GD-to-MFA\"](\"/b319bf6ed09ba90828b27b6cc2c2eb75/EB-buyers-GD-to-MFA.webp\")
Always remember to log out of websites and devices once you are done using them.
\nAccording to Nordpass.com, here are the 20 worst passwords of 2020. The list also offers an overview of how many times the password has been breached, among other parameters.
\nDisclaimer: Stay away from these passwords.
\n| Position \n | \nPassword \n | \nNumber of users\n | \nTime to crack it\n | \nTimes exposed\n | \n
| 1\n | \n123456\n | \n2,543,285\n | \nLess than a second\n | \n23,597,311\n | \n
| 2\n | \n123456789\n | \n961,435\n | \nLess than a second\n | \n7,870,694\n | \n
| 3\n | \npicture1\n | \n371,612\n | \nThree hours\n | \n11,190\n | \n
| 4\n | \npassword\n | \n360,467\n | \nLess than a second\n | \n3,759,315\n | \n
| 5\n | \n12345678\n | \n322,187\n | \nLess than a second\n | \n2,944,615\n | \n
| 6\n | \n111111\n | \n230,507\n | \nLess than a second\n | \n3,124,368\n | \n
| 7\n | \n123123\n | \n189,327\n | \nLess than a second\n | \n2,238,694\n | \n
| 8\n | \n12345\n | \n188,268\n | \nLess than a second\n | \n2,389,787\n | \n
| 9\n | \n1234567890\n | \n171,724\n | \nLess than a second\n | \n2,264,884\n | \n
| 10\n | \nsenha\n | \n167,728\n | \nTen seconds\n | \n8,213\n | \n
| 11\n | \n1234567\n | \n165,909\n | \nLess than a second\n | \n2,516,606\n | \n
| 12\n | \nqwerty\n | \n156,765\n | \nLess than a second\n | \n3,946,737\n | \n
| 13\n | \nabc123\n | \n151,804\n | \nLess than a second\n | \n2,877,689\n | \n
| 14\n | \nMillion2\n | \n143,664\n | \nThree hours\n | \n162,609\n | \n
| 15\n | \n000000\n | \n122,982\n | \nLess than a second\n | \n1,959,780\n | \n
| 16\n | \n1234\n | \n112,297\n | \nLess than a second\n | \n1,296,186\n | \n
| 17\n | \niloveyou\n | \n106,327\n | \nLess than a second\n | \n1,645,337\n | \n
| 18\n | \naaron431\n | \n90,256\n | \nThree hours\n | \n30,576\n | \n
| 19\n | \npassword1\n | \n87,556\n | \nLess than a second\n | \n2,418,984\n | \n
| 20\n | \nqqww1122\n | \n85,476\n | \nFifty two minutes\n | \n122,481\n | \n
![\"how-to-choose-a-strong-password\"](\"/8515c3127c9803c5124d8125057cecf7/how-to-choose-a-strong-password.webp\")
A password manager helps you auto-generate strong passwords and stores them in encrypted, centralized locations on your behalf. You can access all your passwords with a master password.
\nA lot of password managers are free to use and provide optional features such as synchronizing new passwords across several devices. If allowed, they also audit users’ actions to ensure that they are not repeating their passwords in multiple locations.
\nSo, (to be on the right track), how to choose a strong password manager? Well, it should at least have the following core features:
\nValue: The password manager should also have additional nice-to-have features:
\nTo answer the popular question \"how to choose a strong password in 2021\", LoginRadius offers a range of robust Password Policy features.
\nThe CIAM platform captures the following categories of password management in the LoginRadius Admin Console:
\nBy now, you know how to choose a strong password. However, hackers will still try to crack your passwords, no matter how secure you are trying to make them.
\nFollow the steps listed above to make your passwords as strong and unique as possible. Remember, if your password is too easy to remember, it is probably not secure at all.
\n
Determining how consumers are introduced to a brand is as important as managing their subsequent journey. With LoginRadius’ recently launched User Management feature, businesses can enjoy streamlined access control and adjustable privileges for their consumers.
\nSimply put, the LoginRadius User Management feature solves the problem of managing the multiple operations that revolve around consumer data.
\nIt also has been designed to help your business in the following ways:
\n![\"loginradius](\"/19a7a4a6794267ecd76445242f5a3f6e/DS-LoginRadius-User-Management.webp\")
1. User management process: LoginRadius offers complete consumer management features, including:
\n2. Multiple operations of user data: LoginRadius allows the following actions to be performed on consumers’ data:
\nThe User Management feature by LoginRadius is unique in that it monitors and manages the entire consumer journey through automated access permissions, data migration, API support, and other consumer-centric solutions. Now, blend it with creating meaningful relationships with your consumers—that’s what we offer.
\n
These days, businesses have an understanding of security hygiene and the risks of using insecure passwords.
\nYet, the password management struggle is real and it is hitting businesses hard.
\nGiven the fact that stolen or reused passwords are responsible for 80% of hacking-related breaches, it’s high time for businesses to fix their overall security posture and step up their cybersecurity game.
\nWhile more and more businesses are taking this concern seriously and are implementing security measures like password management, multi-factor authentication (MFA), and single sign-on (SSO), it is unfortunate that people still cling to poor password habits.
\nNordPass came up with a database of 500 million leaked passwords and ranked them based on their usage in its list of worst passwords in 2019. Keep reading for some of the worst of the bunch.
\nIn this list, you’ll recognize some old standbys like \"123456\" and \"password\" in the top spots. But there are some unexpected ones here, too.
\nFor example, passwords like zinch and g_czechout may seem harder to crack, yet they still made it to the 7th and 8th positions, respectively.
\nYou’ll also see popular female names like Jasmine or Jennifer. Another tactic is using a string of letters that forms a pattern or a line on the keyboard. Popular examples include asdfghjkl and 1qaz2wsx.
\n![](\"/0211bcf38d1a0a60f9930324cfba56e0/credential-stuffing.webp\")
Here they all are in top ranking order.
\n| Rank | \nPassword | \nCount | \n\n |
|---|---|---|---|
| 1 | \n12345 | \n2812220 | \n\n |
| 2 | \n123456 | \n2485216 | \n\n |
| 3 | \n123456789 | \n1052268 | \n\n |
| 4 | \ntest1 | \n993756 | \n\n |
| 5 | \npassword | \n830846 | \n\n |
| 6 | \n12345678 | \n512560 | \n\n |
| 7 | \nzinch | \n483443 | \n\n |
| 8 | \ng_czechout | \n372278 | \n\n |
| 9 | \nasdf | \n359520 | \n\n |
| 10 | \nqwerty | \n348762 | \n\n |
| 11 | \n1234567890 | \n329341 | \n\n |
| 12 | \n1234567 | \n261610 | \n\n |
| 13 | \nAa123456. | \n212903 | \n\n |
| 14 | \niloveyou | \n171657 | \n\n |
| 15 | \n1234 | \n169683 | \n\n |
| 16 | \nabc123 | \n150977 | \n\n |
| 17 | \n111111 | \n148079 | \n\n |
| 18 | \n123123 | \n145365 | \n\n |
| 19 | \ndubsmash | \n144104 | \n\n |
| 20 | \ntest | \n139624 | \n\n |
| 21 | \nprincess | \n122658 | \n\n |
| 22 | \n122658 | \n116273 | \n\n |
| 23 | \nsunshine | \n107202 | \n\n |
| 24 | \nBvtTest123 | \n106991 | \n\n |
| 25 | \n11111 | \n104395 | \n\n |
| 26 | \nashley | \n94557 | \n\n |
| 27 | \n00000 | \n92927 | \n\n |
| 28 | \n000000 | \n92330 | \n\n |
| 29 | \npassword1 | \n92009 | \n\n |
| 30 | \nmonkey | \n86404 | \n\n |
| 31 | \nlivetest | \n83677 | \n\n |
| 32 | \n55555 | \n83004 | \n\n |
| 33 | \nsoccer | \n80159 | \n\n |
| 34 | \ncharlie | \n78914 | \n\n |
| 35 | \nasdfghjkl | \n77360 | \n\n |
| 36 | \n654321 | \n76498 | \n\n |
| 37 | \nfamily | \n76007 | \n\n |
| 38 | \nmichael | \n71035 | \n\n |
| 39 | \n123321 | \n69727 | \n\n |
| 40 | \nfootball | \n68495 | \n\n |
| 41 | \nbaseball | \n67981 | \n\n |
| 42 | \nq1w2e3r4t5y6 | \n66586 | \n\n |
| 43 | \nnicole | \n64992 | \n\n |
| 44 | \njessica | \n63498 | \n\n |
| 45 | \npurple | \n62709 | \n\n |
| 46 | \nshadow | \n62592 | \n\n |
| 47 | \nhannah | \n62394 | \n\n |
| 48 | \nchocolate | \n62325 | \n\n |
| 49 | \nmichelle | \n61873 | \n\n |
| 50 | \ndaniel | \n61643 | \n\n |
| 51 | \nmaggie | \n61445 | \n\n |
Now that you've seen the worst passwords, you may want to improve the password hygiene of your enterprise.
\nBut what if your customers don't follow good password hygiene?
\nUnfortunately, many don't. The biggest reason is that remembering multiple passwords for multiple accounts is hard work. This leads to people using easy-to-guess passwords or recycled passwords which can lead to a domino effect of attacks on both consumers and companies.
\nAnother flawed approach is that people may think their information is insignificant, so they assume that no hacker would care about them. However, a ransomware attack can lock users out of their accounts and become quite costly.
\n![](\"/e9b93c8b923b38970dce3081e9a46938/image2.webp\")
As our worst passwords list shows, you can’t stop everyone from using bad passwords. However, you can prevent hackers from accessing passwords by using a Customer Identity and Access Management (CIAM) solution. Here’s how.
\nAn Identity Platform can help companies implement industry-standard hashing algorithms that protect passwords during transit or at rest. This is an effective way to prevent data from being exposed to hackers.
\nWith the increase in frequency and complexity of attacks, companies could also utilize additional features like two-factor authentication, risk-based authentication, and passwordless login.
\nBy implementing these features, companies can increase security to customer accounts that will help prevent data breaches and hacks.
\nA CIAM solution also saves resources. Your support and development teams can devote their time to growing your business rather than responding to data breaches.
\nOverall, bad passwords coupled with smart hackers are a big problem for businesses. To protect your company from costly hacks and breaches, you need cybersecurity that prevents access to your sensitive data. For state-of-the-art cybersecurity and enhanced customer experience, choose a globally-certified CIAM solution like LoginRadius.
\n![](\"/084774eb7512c1b89a504206fda05ffc/CTA-book-demo-password-1024x310.webp\")
Security questions can add an extra layer of certainty to your authentication process.
\nSecurity questions are an alternative way of identifying your consumers when they have forgotten their password, entered the wrong credentials too many times, or tried to log in from an unfamiliar device or location.
\nSo, how do you define a good security question? We have come up with some basic guidelines that will help you create the best ones.
\nThe best security questions and answers make it easy for legitimate consumers to authenticate themselves without worrying about their account being infiltrated.
\nYou can minimize both of these outcomes by creating good security questions.
\nYou can see examples of good security questions from the University of Virginia. Let’s take a look at each of these criteria in more detail.
\n![](\"/cfccbee1abd82fe642d45c74a29257af/boy-car-child-1266014.webp\")
When choosing security question and answers, it’s extremely important that the correct answers cannot be guessed or researched over the internet.
\nHere’s an example of a question that fails to meet these rules:
\n“In what county were you born?”
\nThis question could be considered unsafe because the information can be found online. Also, this information may be common knowledge to friends and family members.
\nAside from these issues, if a hacker was interested in a specific account, it might be easy to brute-force their way past this question since there are only a fixed number of counties in each US state.
\n![](\"/189de30533f62b867cacf6b107bbc320/balance-beach-boulder-1051449.webp\")
A good security question should have a fixed answer, meaning that it won’t change over time.
\nA good example of a security question with a stable answer:
\n“What is your oldest cousin’s first name?”
\nThis example works because the answer never changes.
\nNote: Questions like this one might not apply to all users. Asking about someone’s wedding anniversary or cousins does them no good if they have never been married or have no cousins! It’s important to offer your consumers several questions to choose from to make sure they apply.
\nSome examples of questions with unstable answers:
\n“What is the title and artist of your favorite song?”
\n“What is your work address?”
\nBoth of these examples make for poor security questions because their answers will change for most people over time. Many people change their minds about their favorite things over the course of their lives, and they also may change jobs or move to a different office location.
\n![](\"/4fc4082864b7c38e16ef2e34ff1fe214/adorable-blur-child-573293.webp\")
A good security question should be easily answered by the account holders but not readily obvious to others or quickly researched.
\nExamples of good memorable questions:
\n“What is your oldest sibling's middle name?”
\nMost consumers who have siblings know their middle name off the top of their heads, making this a good example of a memorable security question. This question is also excellent because someone would have to do quite a bit of digging to first find out who the consumer’s oldest sibling is, and then find their middle name in order to crack this question.
\n“In what city or town did your mother and father meet?”
\nMost consumers know the answer to a question like this, making it fit the criteria of being memorable. It is also more difficult to guess or research this fact. Best of all, it fits the stability criteria as well.
\n
Some examples of question and answers that are unmemorable include:
\n“What is your car’s license plate number?”
\nMany people don’t have their license plate number memorized. Also, it’s relatively simple for a potential intruder to do some digging and find this information for themselves.
\n“What was your favorite elementary school teacher’s name?”
\nThe answer to this question may be quick to recall for someone younger, but for older consumers, things from their childhood can be a lot foggier. So answers to such questions might not come so easily. It’s good practice to try to avoid questions from a consumer’s childhood.
\n![](\"/fdbc69658c2ed437d337b773bef48e70/automobile-automotive-car-1386649.webp\")
A simple question has a precise answer that doesn’t create confusion.
\nSome examples of questions with simple answers:
\n“What was your first car’s make and model? (e.g. Ford Taurus)”
\n“What month and day is your anniversary? (e.g. January 2)”
\nThese both make for good security questions because the answers are specific. These questions show consumers how to format their answers in a memorable, simple way.
\nBut how many security questions should be asked? These questions can also be asked in a way that doesn’t give simple, precise answers:
\n“What was your first car?”
\n“When is your anniversary?”
\n![](\"/db48bdd45d6b2b4a72051be7819fe463/arms-bonding-closeness-1645634.webp\")
A good security question should have many potential answers. This makes guessing the answer much more difficult and will also slow down automated or brute-force attempts at gaining access to the consumer’s account.
\nAn example of a question with many possible answers:
\n“What is the middle name of your oldest child?”
\nA question with too few possible answers:
\n“What is your birth month?”
\nBy their very nature, even so-called good security questions are vulnerable to hackers because they aren’t random—users are meant to answer them in meaningful, memorable ways. And those answers could be obtained through phishing, social engineering, or research.
\nThere’s a scene in the movie \"Now You See Me 2\" where a magician tricks his target into giving him the answers to his bank security questions. The magician guesses the answers and his target corrects him with the actual information. It’s a fictional example, but the phishing mechanics are real.
\nMany social media memes tap into the answers to common security questions, such as the name of your first pet or the street you grew up on. So by innocently posting your superhero name or rapper name on Facebook, you’re inadvertently sharing important personal information.
\nWhen it comes to creating security questions, there are certain types of questions that should be avoided. Questions that have answers that are easily guessed or found online should not be used.
\nFor example, questions like “What city were you born in?” or “What is your mother’s maiden name?” are too common and can be easily guessed or found online. Additionally, questions that are too personal or sensitive should also be avoided as they may make users uncomfortable or cause them to reveal too much personal information.
\nExamples of questions to avoid include “What is your social security number?” or “What is your salary?”
\nChoosing good security questions can be challenging, but there are certain types of questions that can be effective.
\nGood security questions should have answers that are easy for the user to remember but difficult for someone else to guess. For example, questions about personal preferences or experiences can be effective, such as “What is your favorite movie?” or “What was the name of your first pet?”
\nAnother effective approach is to use questions that require numerical answers, such as “What is your favorite number?” or “How many siblings do you have?”
\nWhen choosing security questions, there are several best practices to keep in mind. First, it is important to choose questions that are easy for the user to remember but difficult for others to guess or find online.
\nAdditionally, it is important to avoid using questions that are too personal or sensitive. Another best practice is to avoid using the same security questions for multiple accounts, as this can make it easier for hackers to gain access to multiple accounts if they can answer the same security questions.
\nFinally, it is important to regularly update security questions and answers, as well as to use two-factor authentication or other security measures to further protect accounts. By following these best practices, users can create strong security questions that help protect their online accounts.
\nPasswords and security questions aren’t the only methods for locking down consumer accounts. A good CIAM solution offers several secure alternatives:
\nMulti-factor authentication is a much more robust and secure method of consumer authentication that relies on two or more ways of verifying the consumer’s identity. Typically, the consumer will be required to present something that they know, something they possess, and/or something they are. Some examples of these different factors are:
\nAs an example, the MBNA bank recently decided that security questions were not doing enough for them and their consumers to keep their accounts safe. To upgrade their security, they decided to go with two-factor authentication instead of security questions in order to verify their consumer’s identities.
\n![](\"/a9e74f244312983ea9c5cdbc05750c92/MBNA-2factor-steps.webp\")
Source: MBNA website
\nIn these screenshots, you can see that the transition from security questions to two-factor authentication was fairly seamless for MBNA consumers. They even had the option to choose how often they would be prompted to provide a security code as their second factor.
\n![](\"/3b9c4255681353f9abffd408adff699e/MBNA-2factor-login-options.webp\")
Source: MBNA website
\nBy requiring your consumers to follow strong password rules, you minimize the risk of hackers brute-forcing their way into their accounts. Lengthy alphanumeric passwords with special and non-repeating characters are much more difficult for an attacker to guess. It also takes significantly longer for brute force programs to break in.
\nPasswordless Login takes the password right out of the equation. consumers log in with a key fob, a biometric such as a fingerprint, or a magic link. This login method eliminates the issue of consumers forgetting passwords entirely, and it also makes it impossible for hackers to crack their accounts by brute-forcing.
\nIf you’re interested in learning why passwords are slowly becoming a thing of the past, download our e-book The Death of Passwords. There are better authentication methods than passwords and security questions available for your company—and with support from LoginRadius, you can adopt them quickly and easily.
\n
Many people use their email addresses and a small set of passwords (or even just one password) to log in to their online accounts. Unfortunately, this means that any hacker with your email address already has half your login details. Add in numerous password breaches from big-name digital service providers and you have a recipe for disaster.
\nSince most people still recycle versions of their passwords, once one of them is released in a data leak, it could mean that all of your online accounts are compromised thanks to bad password hygiene.
\nEven if you're one of the many people who use a selection of different passwords based on some sort of theme or the rearrangement of certain elements, an attacker could combine knowledge of one password with a brute force attack or social engineering to more easily discover your other passwords.
\nLuckily there's a well-trusted website where anyone can quickly find out if their email address has been compromised in an email leak and which company leaked your data. Have I Been Pwned? (HIBP) was set up by Troy Hunt, a highly respected digital security expert.
\nIt’s simple to find out if your email address has been compromised. Just go to Have I Been Pwned? to search their database of leaked details.
\nHIBP doesn't just include leaked emails, but (as my friend found out) other personal data that has been exposed on the web. What you learn may surprise you—I asked a friend to try a few of their emails, and though all of their passwords were safe, other bits of personal data had been leaked by several marketing data aggregation companies.
\nHackers make use of many types of personal data, combining databases with known passwords when they do leak to make cracking your accounts that much quicker, so any sort of data leak can be risky.
\nCheck a few of your emails on the site, and chances are that at least one of them will have been involved in a data leak at some point, even if your passwords haven't been released.
\nThere's also a handy password checker to find out if a certain password has made its way into the public domain. (Don’t worry, the site uses hashing to keep your password anonymous and doesn’t store it.)
\n![\"Protecting-PII-Data-Breaches-industry-report\"](\"/50eb35550996efd860854fef81a6360e/RP-Data-Breach-Report.webp\")
Out of curiosity I checked the statistics for using \"password\" as a password—it turned out to have been pwned 3,533,661 times, a stark reminder that common sense doesn't always triumph when humans are left to their own devices regarding password strength.
\nSubscribing to Have I Been Pwned is free and doing so will alert you to future leaks involving that email address as soon as they become public; adding additional emails is straightforward and doesn't incur any additional fees. As a website owner or administrator, you can also set up alerts that let you know if any email addresses associated with your domain have been compromised.
\n![](\"/39c01c921f3c46b1823f193ca9711f75/image-2.webp\")
Once you’ve checked your email addresses for breaches, the next step is to change all of your passwords that are related to that email to something strong and complex. Choosing strong, unique passwords can be difficult for some people – believe it or not, a random string of letters, numbers, and symbols can be just as easy for a machine to crack as any other password.
\nXKCD explains it pretty well in this cartoon; think “pass phrases” of unrelated terms, rather than just a “password.” And no, changing letters for numbers (l33t style) is far too common to make this a safe way to create a cunning password!
\nIf your password comes up as having been leaked on the password checker, it doesn’t necessarily mean that your personal password has been leaked. Maybe your choice of secret word wasn’t as unique as you thought it was.
\nWhat it does mean is that your password is likely to be in a database along with other confirmed passwords that a cracker program will use first when trying a brute-force attack on your account. Combine a compromised password with a leaked email for an account without multi-factor authentication, and you’ve just handed anyone with those two databases full account access.
\nAnd what do we mean by unique? Not unique to you, but unique to each site or login you use. Remember never to use any of your biographical data in your passwords either; many of the data breaches on Have I Been Pwned? are from marketing companies that don’t actually have people’s passwords. What they do leak is a handy, searchable database of lots of your other information (including things like kids’ birthdays, work anniversaries, and so forth).
\nOf course, with all these unique passwords, you may be tempted to write them all down. If you want to keep your new set of passwords safe, though, consider using a password manager (with a strong, unique password that you can remember). There are a number of options, many of them free, that will help you store your passwords safely.
\nLastPass and Dashlane are the two most popular options, and both have points in their favour. If you take your online security seriously, it’s worthwhile paying for a premium version.They’re relatively inexpensive and include important features like syncing across devices and advanced multi-factor authentication. Where possible, you should enable multi-factor authentication on all of your accounts.
\nLeaks of any type of customer data can be both embarrassing and expensive for businesses. An increasing number of countries have steep penalties for any kind of data breach, in some cases attracting unlimited fines or large percentages of an organization's annual turnover (yes turnover, not after-tax profit).
\nIf you're responsible for your company’s data security or digital platforms, then you're probably acutely aware of this fact.
\nLoginRadius has a vested interest in maintaining the highest levels of data protection.
\n![\"book-a-demo-loginradius\"](\"/1bebf239d110701b9b534d7eb481a5ac/BD-Plexicon1-1024x310-1.webp\")