Thirty years ago the most one had to remember for a password was a school locker combination or an office push pad lock for a door. Today, passwords are needed for just about everything. Any service on the Internet or mobile app needs its own password, and in the business world they are ubiquitous as keys to the kingdom on enterprise networks and shared digital resources. No surprise, passwords and their owners continue to represent the weakest link in IT security. Fortunately, many of their concerns are also the easiest to change with prevention steps, if people apply them often and correctly.
There are various fixes for the multitude of passwords one has to remember now, but that still doesn’t address the fundamental problem of poor password management by users or organizations. And until we reach a world of biometric keys and unique personal tools, passwords are going to remain the standard for a long time probably. As a result, companies and organizations have to constantly address the human factor.
Why Standard Policies Fall Short
Standard password policies tend to center around four typical approaches for username and password security:
- Making sure the password minimum length is at least 8 digits long, better if 12 or 16.
- Lots of complexity in the password with uppercase and lowercase letters, numeric digits and special characters.
- Making sure passwords are changed on a regular basis (usually 90 days)
- Automatic account lockout rules after a number of incorrect attempts are made with a wrong password.
However, the above common policies fail to deal with the human factor that keeps breaking the expected rules. Frequent, frustrating issues include staff sharing their passwords with each other for convenience and easier access, using personal information, reusing the same password again and again, failing to change a password after a breach occurred, writing passwords down and leaving them on desks or in the open, not using two-factor defenses, and leaving the computer on to avoid having to login at all. Anyone who practice occasional office testing for staff slipups and vulnerabilities will probably find a break-in candidate within about two to three days in an unannounced audit.
In addition, even if folks do everything they are supposed with the four common prevention steps, the vulnerability versus today’s anti-security technology is still high. Basic hacking tools can make short work of standard good password or passphrase policies, especially with the power of computers working day and night. These attacks come in the form of automated brute force and dictionary attacks where a program guesses every possibility, breaking security questions with data gleaned off of social media about a user, still taking advantage of simplistic passwords like god or 12345. And the most successful tends to still be social engineering attacks where people just give up their passwords willingly.
Get Proactive and Stop Relying on Users
So, what can a company do? Are data breaches inevitable? Ban easier to remember passwords? If one relies on the Security Exchange Commission’s view, attacks for any size business are matter of when, not if.
Fortunately, there is more that can be applied administratively on user accounts without fully relying on those users to do their part. These password protection steps include:
- Force Easy to Remember Passwords to 16 digits With Complexity – The amount of time it takes a computer program to break a 16 digit password with complexity is more computational time than it takes a bit miner to crack a new Bitcoin. That kind of difficulty drives easy opportunists away very quickly, even with software tools. The strongest method is, of course, 64 digits.
- Utilize Password Encryption – Networks that automatically encrypt password fields and their data transfer block the most common method of grabbing passwords, network sniffing. All the hacker sees is a blizzard of characters that don’t make sense. Not using encryption literally leaves the password easy to read on a sniffed network or channel.
- Require Two-Factor Authentication – Absolutely one of the most effective tools available, multi factor authentication forces a unique second password code to be generated with every login. It’s easy to apply and any user with a connected cell phone or token key can still login without issue.
- Layer on More Methods – Unique passwords plus other tools like voice or biometric data makes it extremely hard to get into a system without the user’s cooperation. This wipes out the errant user name and password being written down and stolen or being overheard or seen in a public area.
- Force Minimum Acceptance Testing on New Strong Passwords – Your own server tools like Windows Server can require minimum criteria on new passwords in a network, forcing users to comply whether they like it or not. This may not work for dictionary words, however, in which case an administrator would have to rely on regular training reminders and auditing passwords for violations.
- Force Modularization – By requiring employees to have different passwords for different parts of a network, it blocks of access to the whole system even if a breach occurs. This follows the rule of “least privilege access.” No one should be allowed to have a universal password.
- Have the Ability to Nuke Connected Mobile Devices – Any device connected to your network should have a requirement for remote wipe. This way, if a mobile phone is compromised, you can immediately kill that access entirely and shut off further damage. This a very effective defense to stolen or lost mobile devices.
- Require Automatic Deletion of Unused Accounts & Separating Employees – This is a bit of a no-brainer; any accounts not used after 45 days or associated with a departing employee should be cut off immediately by default. These provide backdoor entry for anyone who gets them and the account hasn’t been deleted or disabled.
- Password Managers May Help – Password software memory tools provide a great way to manage passes, remembering passwords and storing passwords with a simple, singular channel, but their strength of a one account approach is also their Achilles Heel. If the password to the password manager is compromised, then so is everything else. In these cases having a physical security token as well as an MFA and password may be a better approach with a password manager.
There is no perfect solution for passwords as long as they will be used; the human element always presents an inherent risk, especially as user number increases dramatically. However, there are lot of steps an organization can take to limit the access and potential risk a password mistake can produce. Companies and organizations just need to proactively exercise them and take advantage of the tools they already have. Further, additional added layers can increase complexity and defenses when apply. Call us to find out more information!