We have addressed previously the fact is that the human is the weakest link in any security chain. There are unfortunately many ways that the human link can be disrupted. In this article we will address one of those, one that may in fact be the weakest link in the weakest link – Passwords. Everyone hates passwords. An informal survey of users shows that the one issue that is unanimously despised is the password. They are difficult to create, track, and remember, but they are a truly necessary evil. And they have proliferated across every aspect of our electronic lives.
Many of us have noticed that across the Internet, many sites are now requiring more complex passwords. Banks and financial institutions, online vendors and even some subscription sites are now requiring a mix of lower and upper case letters as well as a number in your latest password. The liability and risk associated with having simple passwords is great, because hackers can use what’s called a “dictionary attack”, where they attempt to use every word in the dictionary to access an account. And it’s not just the English dictionary.
As a business owner or manager, you need to take this message seriously. Every step you can take to secure your information is important. Don’t think that because you’re a small or medium sized business (SMB) that you are not at risk. Some things we often hear are “no one would be interested in my data” or “he has nothing on his computer”. The truth is that you are actually more at risk. Hackers have specifically targeted the SMB market since they traditionally have weaker security all around. You still have a bank account, you still take credit cards; you may even store personally identifiable information (PII); all of which has value to a hacker when stolen. Even if someone has no data on their PC, that PC is a gateway to the rest of your network and your data.
The first in minimizing this risk is to develop and implement a strong password policy. It should require that all passwords be a minimum of 8 characters and require at least one capital letter and a symbol. It should not be a common word that can be found in the dictionary. It doesn’t need to be a jumble of nonsensical characters that no one will remember. While you may not be able to have a space in your online passwords, Windows systems do allow that. So “My New Password 123!” is a great password, but password123 is not.
This means that 10.3% of the population uses one of these 20 most popular passwords. So 1 in 10 people in your office likely use one of the above password for something that you need to have secured. Is that a risk you are willing to take?
What can you do about it? First, implement a password policy. Speak with your IT provider. They can turn on your server to require complex passwords. And your Password Policy should include:
- Password composition – the length, what kinds of characters and required and allowed (eg don’t allow their name or the company name)
- Password age limitation – how often will you require a password change, we recommend every 90 or 120 days.
- Password re-use – how often can they reuse the same password or how long between changes before the same can be reused
- Password Sharing policy – yes, people do share their passwords, what limitation and criteria are you setting on this? We recommend against this (of course!)
- How do you handle System Administrator passwords?
- Exemptions and Enforcement – what are the consequences for violating this policy?
You can also consider using a password vault from a company like Dashlane or LastPass. Interestingly enough, LastPass was recently hacked and data was stolen, but since the data was encrypted, it was unusable. But if your password is a weak one, it doesn’t matter if it’s encrypted or not, it can be easily guessed by man or machine.
Next month, we will delve into the question of whether or not the password has outlived its usefulness. What enhancements and tools are available to enhance the security of your passwords? Just because you’re not paranoid doesn’t mean that cyber criminals are not out to get you. Given the stakes at risk, it’s only a matter of time before they come surreptitiously knocking on your door. It’s time to start thinking about the multi layered approach to your defense of your sensitive information both on your systems and in the cloud. Password policy with complex passwords are just a small first step.