Are your users’ passwords strong enough to keep a hacker out?
Just last week I came across a CEO that assured me that her passwords were all super secure. She was extremely confident that her entire team used strong passwords and we had no need to dig into password security with their team.
When we looked at a handful of passwords on the Dark Web (yes, she had passwords wide open for anyone to see within that part of the internet that hackers and cyber criminals scour), one of her most frequently used passwords was the equivalent of PinkPony123 (there were a variety of derivatives for both personal and work accounts).
When I showed her the list she was stunned. “How on Earth did you find those!” was her first response upon seeing the compromised credentials for her and others on her team. She was so flabbergasted that we took a 15 minute break so that she could change a few of her secure passwords before taking a dive into some of the other holes in her network (Note: cybersecurity experts recommend getting a network security assessment to make sure your data is protected from the latest hacking techniques).
I started that meeting with passwords simply because many of us feel that our passwords are secure—no one could ever get onto our accounts by guessing.
Your Primary Line Of Defense
What we don’t always think about is that passwords are often the primary line of defense protecting our accounts from being hijacked. And a lot of businesses that I talk to don’t even have a password policy in place (an those that do either aren’t enforcing their policy or have a policy written years ago—policies that aren’t keeping up with ease of password cracking in 2020).
And worst of all, most policies don’t even take into account overlap between workplace and personal account credentials (remember when millions of accounts were hacked on Facebook?).
With the right policies and enforcement in place to ensure strong and unique passwords, your organization is a lot closer to securing your network than you think. Today I want to talk briefly about some tips to ensuring that your team has a functional password policy that you can easily enforce and get people to follow.
Tips for Your Password Policy and Process:
Have You Monitored For Compromised Credentials—data dumps of major breaches, attacks are getting more and more common. Over 2 billion passwords have been published as of the fall of 2019 (no telling how many more will be added this year as the attacks stack up). Data containing passwords, usernames and other credentials have skyrocketed in the past few years—many lists credential lists are being used by hackers looking to break onto networks to hold your data for ransom. If you’re not monitoring your team’s passwords—both personal and work-related, you may be putting your staff at risk for major extortions, some of which may force them to give a hacker access to your business’ sensitive data.
Security experts recommend to start monitoring your team (at very least monitor key people on your teams, focusing on those that are visible or have easy access to sensitive information).
Use Password Management Systems—while for some organizations password management systems have become common ground, in a lot of organizations I see a hodgepodge of password systems. Some people are STILL recording all of their passwords in text files or excel spreadsheets labeled “passwords”. Hackers are well-aware of these tactics and have automated searching for and exploiting password storage files. Others on your team may be using the same password (or a derivative) for every critical account they have access to. Other folks are sharing passwords amongst themselves. These reused passwords put your organization at risk of severe data loss and risk, as you are practically handing over the keys to your entire kingdom.
Experts recommend storing unique passwords in a password management system (one that you can record security questions and complex passwords). By keeping your passwords in a management system, you are able to copy and paste your passwords easily into applications or browsers to access critical accounts—without having to rely on insecure or repeated credentials.
Understand When To Reset—this is probably one of the hardest things to figure out. One long-practiced principle behind password security amongst leaders has focused in password changes and forced password resets at fixed intervals—commonly monthly or quarterly resets are relatively standard.
Now, I strongly believe in password resets, but many on your staff may be working the system by modifying old passwords to avoid having to rememorize or reconstruct a password so regularly. What might work better than a forced reset for everyone is getting them to understand WHY a reset is necessary. As you start sharing stories of password compromises and give them access to their exposed information online, you might consider devising a strategy with your entire to figuring out what reset schedule makes sense in your work flows. Be sure to hold them accountable to keeping to that schedule! Consider having everyone sign a document affirming their commitment.
Enforce Password Complexity—there are far too many organizations allowing for weak and hackable passwords on their networks (that CEO above is a prime example). As you start communicating with your team about passwords, get them to understand WHY (yes, the WHY is a critical key to getting security right within organizations) they need standards for passwords. Hackers today have processors that can crack easy human-readable password text. The less frequent a combination of characters and numbers and the longer that password is, the harder someone will have to work to crack the password. As you begin to change your uniqueness and complexity standards for permissible passwords on your network, you will see your risks of a cyberattack due to brute force password hacking dramatically decrease.
While these password best practices are certainly not a comprehensive roadmap to your cybersecurity, they are a good first start for your organization to take a proactive stance on how your security program is regarded and run. In particular, these tactics are certainly a great first step in at least getting your team members to think about their own personal cybersecurity.
If you can help your teams understand that they are at risk in their personal accounts (say banking for instance) and get them to change some bad behaviors to ensure their accounts aren’t hacked, in all likelihood, they will start using those same practices within your organization.
Concerned about your team’s password security?
Consider a free network security assessment to put together a roadmap to improving your security stance.