- Armed guards and locked doors no longer protect the world’s most valuable assets. Instead, we rely on passwords to protect our money, our trade secrets and vital infrastructure like airports and utilities. If your company has weak password management, public embarrassment in the media is the least of your problems. Disgruntled employees might disable key systems on their way out or look for a quick pay day. There’s a thriving black market for passwords: three buyers paid $300,000 for a database of Yahoo email passwords (and password reset questions) in 2016.
The 7 Bad Password Habits That Hurt Organizations
- To build your password management business case, you need to understand the risks and threats posed by weak passwords. With a few passwords, a skilled hacker can sell access to critical accounts, expose sensitive information or hurt your reputation.
- How many of these bad habits do you see in your organization today?
- Using Common Passwords. It’s no secret that many users view setting passwords as a dull chore. Unfortunately, that attitude leads to lazy thinking for passwords. According to industry research reported in the Telegraph, the most common passwords in 2016 included: 123456, qwerty, password and google. Using passwords like these is like leaving your car door open with the keys in the ignition.
- Using Default Passwords. Some devices, like home Wi-fi routers, come equipped with default passwords by the manufacturer. If these are not reset and made more secure, you provide an easy entry point for those who want to gain unauthorized access.
- No Password Complexity Rules. Some immature password systems allow users to enter a simple word as their password like “John” or “password.” This approach is not going to cut it anymore. Hackers no longer have to manually guess passwords — they can use automated tools to carry out attacks. Even worse, some reports indicate that hacking tools are rapidly becoming cheaper.
- Eternal Passwords. Individual users and companies both share in this failing. Setting a password once and never changing it makes it easier to attack. In essence, you are providing a “fixed target” for attackers to address. Just imagine if you combine this failing with using a common password like “qwerty” or “password.”
- One Password to Rule Them All. Single sign-on passwords are helpful and users love them. If these passwords are not controlled properly, you are effectively handing the keys to kingdom away.
- Sharing Passwords. A colleague swings by your cubicle and asks to “borrow” your password. Do you grant his request? On the one hand, you might feel an obligation to be helpful. On the other hand, password sharing undermines identity management. Making password resets painless is a better way to handle the situation.
- Reusing Passwords Over and Over. We’re all guilty of this mistake. You sit down to use a new website and think “Hmm, I’ll just use my ‘standard password’ to create an account.” That behavior is particularly problematic if you have access to highly sensitive materials.
- Developing your password management business case is easy once you realize all the ways that passwords can fail. If you have seen even one of the bad habits above at your organization, it is time to level up your password management program.
The Road to Better Password Management
- Improving your password management practices requires a holistic approach. Installing a tool like Avatier’s Password Station is crucial. For the best results, your password management software needs to be supported by policy and other factors. Let’s unpack the components of a “minimum viable password program.”
1 Company Password Policy
- Create a one page password policy that defines how users and your systems will use passwords. This document will include management aspects such as who can approve new password protected accounts and how often they are reviewed. In addition, the policy will also address technical details such as password length, password complexity and the password reset policy.
- If you are starting from scratch, consult the Carnegie Mellon University (CMU) example in the sources section. The university recommends users change their passwords every 90 days. In addition, “initial” passwords are set to automatically expire after a set period of time. Beyond these rules, CMU also recommends that users receive email notifications for all password changes.
2 Training and Process
- Creating a password policy is just the beginning. You also need employees — technical and non-technical — to understand the policy and how to apply it. At a bare minimum, send a memo email announcing the policy to all employees. You may also provide training sessions where employees can ask questions.
- Tip: If you are hip-deep in password issues every day, remember that your users may not know the risks of poor password habits. Take the time to make your password management business case to them as part of the training.
3 Implement a Password Management Tool
- Manually enforcing a password management policy quickly becomes a difficult chore. Just one or two managers forgetting to enforce the policy will lead to an exposure. To obtain consistent results and save time, use a solution like Avatier’s
- . It’s already used by Lockheed Martin and the Nuclear Regulatory Commission, organizations that take security seriously.
4 Password Management Reviews and Audits
- Like it or not, no process or technology stays in top condition without periodic reviews. To keep your systems and users safe, organize regular password reviews. Use the following suggestions to reduce the risk of hacking and unauthorized access:
- Employee Change. When employees change roles, their new manager needs to review their passwords and access to confirm it is appropriate.
- Annual Policy Review. Each year, set aside some time to review your password policy. This process is especially important if your company is growing rapidly.
- Management Review. Ask each manager to review the passwords and accounts used by all of their staff annually. If you operate in a highly regulated industry like financial services or government, you may need to carry out more frequent reviews.
- Internal Audit’s Assessment. We all have blind spots in our work. That’s where internal audit can play a role — by carrying out an end-to-end assessment of your password management policies and procedures.
Guidelines for Password Management (Carnegie Mellon University)
Hacked Yahoo Data Is for Sale on Dark Web (New York Times)
The psychological reasons behind risky password practices (Help Net Security)
The world’s most common passwords revealed: Are you using them? (The Telegraph)