Guard That Password…Or Else!
Security requires a strong lock that is used properly.
Almost everyone has heard that they need secure passwords that are changed often or their accounts could be compromised. The problem is that secure passwords can be difficult to remember, especially when you have different ones for every account. I always believed that many people used insecure passwords, but a recent report from Imperva that analyzed 32 million passwords that were released due to a major security breach, really pounded that idea home.
According to the report, only 0.2% of the passwords were secure. That’s a fifth of one percent! So, what is a secure password? Imperva’s definition is a password with at least 8 characters, both upper and lower case letters and at least one number and one special character. I can see why the percentage might be low for a password with those characteristics, but almost 50% of users used passwords that were names, slang words, dictionary words or consecutive numbers or adjacent keyboard keys. Strings of numbers like 12345, 123456, 1234567, 12345678, and 123456789 were all very popular. In fact, those 5 passwords were all in the top 9 and accounted for about 1.5% of the passwords used.
Not good, but how bad could having such insecure passwords be? Well, someone could gain access to the financial accounts of you or your business. Or a disgruntled employee could access your company email or Twitter account and send inappropriate messages to all of your clients, like happened to Vodafone UK’s Twitter account recently. Now to be fair, we’re not sure how the Vodafone UK employee got access to the account, but an insecure password or one written on a post-it note could have been the cause.
So, what’s the answer? Well, you and your employees should be required to use a password that meets Imperva’s definition of a strong password. If possible, the password should be required to be changed on a regular basis. Why? Well, some people would say that’s in case the password got out. That way it might get changed before it could be used. I’d assume if the password got out, that it would probably get used immediately. I believe that passwords should be changed regularly, so that employees will be less likely to use the same password as they do for their Facebook, Twitter or another personal account. That’s important because if one of those accounts gets hacked, it might open up that work account to attack.
Now requiring a constantly changing secure password does open up another issue. How can you keep your employees (or yourself) from writing the password down and putting it somewhere that it can easily be found? Obviously, the best thing to do is to memorize the password. If that can’t be done, write it down. But don’t put it somewhere around the computer. Keep the password somewhere safe, where it won’t be compromised. Keeping the password in a wallet is a good choice. People tend to watch their wallets. Or keep the password in a password protected, encrypted file on your phone or maybe on a folded piece of paper in some secure, locked location. These options are all much better than writing the password on a post-it note and sticking it to the bottom of your keyboard. Yes, I’ve found passwords there. It’s like putting a key under a doormat. Not a good idea.
Now you all have secure passwords and don’t leave them lying around. You’re all set, right? No. Computers are like doors. If you don’t lock them when you’re gone, it doesn’t matter how good the lock is. Log out of your accounts or even computers when you are away. At the very least, password lock the computer when you are away. To make sure you (or your employees) don’t forget to lock the computer when away, set the computer to lock when the screensaver comes on and set the length of time before the screensaver comes on to be fairly short.
In one of my early jobs, we took security very seriously and sometimes when someone forgot to lock their computer for the night, we took the opportunity to play a prank on them that would trigger when they turned the computer back on. Don’t worry, all of the pranks were harmless. Needless to say, security awareness got better with time. (And no I was never victimized.)
Now, I’m not suggesting hazing coworkers or employees. In fact, I’d strongly advise against it. We were all sure that the people involved would take the jokes well or we wouldn’t have played them in the first place. Instead, I’d recommend quietly locking down unlocked machines and leaving a discreet note.
The key thing I want you to take away is that you need to ensure that you and your employees use secure passwords and implement good password policies. Looking back at the locked door metaphor, I’m saying: Use good locks, lock them when you aren’t home and don’t leave the keys lying around for burglars to find. If you can do all that, you’ll be much safer.
Too much can go wrong these days if passwords are compromised. More and more of our business functions are handled over the internet and hackers are able to compromise accounts more quickly than ever. So, don’t underestimate the power of hackers and don’t overestimate the security of your team’s passwords. Have good policies in place, enforce them using your systems and educate your employees. Some people make mistakes simply because they don’t know any better.
Related posts:
I’ll admit, most of my passwords probably wouldn’t pass the “secure password” test. That being typed, I wouldn’t ever use “12345678.” I also wonder about security and mobile devices. Many of my iPhone apps save passwords, and automatically connect to services when launched. Granted, no one’s going to get access to my bank account that way. But they could access my Facebook and Twitter accounts. Something to consider.