We’ve all seen it. That little warning in the bottom corner of the screen that your password is going to expire in ‘x’ days. And we’ve all done it. Well, I’ll just add one more digit to the count. Who cares anyway, right? Here’s the thing. It matters. A lot. In the past decade or so, I’ve seen every possible bad idea when it comes to passwords:
- The Post-It note under the keyboard
- The piece of paper taped to the wall
- The ever popular “Password1” or “letmeinnow”
- The feared ‘entire department uses the same password’
- The password that never expires
- Or, my personal favorite, the spreadsheet saved on the desktop that has the username and password of every single person, software and account in the company (mixed with your personal records, just to make it spicy!)
So why does it matter?
Simply put, if your password is compromised then your kingdom is ripe for the ransacking. And with all the spillover between personal devices with work information on them, even a personal computer being compromised can spell big, big trouble for your employer. Once the levee has a crack in it, it’s just a matter of time before it comes crashing down.
Let’s walk through a couple of typical password based paths to a compromised system, then talk about ways to prevent it.
Scenario 1 – The Password Phish
- The user gets an email claiming to be from Microsoft, telling them to enter or reset their password by clicking on a link.
- The user follows the instructions and goes about their day.
- The next day, all of the servers in the entire company get Crypto-locked, costing lost time, lost revenue and loss of client confidence.
- A piece of malicious software has been introduced to a work environment, allowing a ‘bot’ to access usernames.
- That bot then runs automated scripts, attempting numerous password combinations until the pattern is learned and the system is compromised.
- The next day, nobody knows anything has happened.
- Silently, in the background, the entire computer network is scanned, company files are copied and removed and confidential emails are leaked to the market…or maybe it’s just crypto-locked. Or maybe, just maybe, it’s wiped out just for fun.
Password Best Practices…are not as agreed upon as one might think.
For years, the standard was ‘use complex passwords with at least 8 digits, upper case, lower case, alpha, numeric and add symbols’. And for years, user rebelled.
The industry has shifted a bit with the emergence of new technology, so we find it best to have a ‘thinking’ approach to the problem, one that focuses on technology and the human aspect.
- The best bet today involves 2FA, or two factor authentication. This means that anytime a user logs into an online resource or computer, they are required to enter their credentials and then also complete an external, physical confirmation. This is commonly done by replying to a text message or by entering a code they receive from outside the resource they are attempting to access.
- The company should have ‘3 strikes’ rules in place for failed login attempts. Once the user (or nefarious bot) exceeds the allowed attempts, the account is locked and requires the user to contact the IT Department.
- Eliminate any common or shared passwords in the .org.
- Consider a random password generator and a secure password management system to remove the end user from the process. This means no more birthdays and puppy names will be used.
- Consider password training for your employees. There are programs available that can run simulated phishing attacks, provide feedback on which users would have allowed an intrusion by their actions. Those programs also include online, customizable and interactive training for employees.
- The best way to prevent an exposure is to prepare and avoid it. Consider talking with an experienced IT security provider that can help you anticipate, prepare for and prevent a cyber breach.