Password Strength

Are weak passwords putting your business at risk?
By Ray Rannala, FutureNet Group, Inc.

Verizon recently released a startling study claiming that 63% of all data breaches resulted from weak or stolen passwords. There are endless flaws in passwords that greatly increase the risk of being hacked yet so many organizations fail to take recommended measures to keep their systems safe.

While it stands to reason that passwords are critical to maintaining privacy and security, recent research has shown that the two most common passwords are (believe it or not!) 123456 and password. If you were a hacker, what would you do first? In fact, a few years ago I was sitting in a physician’s waiting room and had asked the receptionist for the credentials for the free Wi-Fi. She told me that she did not have it. For fun I entered: ID= Admin, PW= Password and I was connected. Fortunately, this network was segregated from the business network of the office, but proves my point.

Yet another problem is the fact that since employees access many sites during the course of the workday, they generally use the same password over and over again and bad ones at that. Once that password is compromised, it opens the doors to multiple sites exacerbating the problem.

Okay, now that you have heard the problem, what about a solution? Well, the first thing companies need to do is to enforce complex and long passwords for all systems accessed by employees. 10 digits composed of letters, numbers and characters is a good start. To do this password complexity checking should be deployed for access to all systems. It becomes a relatively simple task to ensure that employees follow the rules. These systems can establish a minimum length and content of the password. They can also screen out a dictionary of words like “password”! Many organizations do this already, but universal compliance is the real goal. Yet another simple and elegant solution suggested by the guy who first preached password complexity (from an NBC News article), is to string random words together like 9MonkeyBoltPie! which is statistically highly complex, yet somewhat easy to remember.

While password complexity is a solid start, once you introduce the human element, you end up with sticky notes! So much for complex passwords. A better approach is to implement multifactor identification.(also referred to as MFA-Multifactor Authentication) This is primarily used by companies where employees have access to really sensitive information. Multifactor authentication uses a secondary piece of evidence in combination with a primary password to guaranty that the person logging is in fact who they say they are. This is done using a one-time code from a token device or even a text message sent by the application to the person’s phone. Unfortunately this is a more costly and difficult system to manage, but certainly worth it to protect the treasures of the company. This is particularly important when employees access the company from the outside from say a Starbucks!

A third and possibly more palatable solution for employees is the use of a Password Vault. These applications help folks store and manage their passwords. They encrypt the user’s passwords and only grant access via an extremely strong Master password. This system allows a user to create highly secure passwords (say 30 digits with 8 characters and 9 numbers) because the user never needs to re-type them once in the vault. Nice huh! This is becoming a more widely used strategy because it is effective, easy to use and mostly safe. I recently read that nearly 1/3rd of firms polled say that they have deployed password vault technology for their employees. This makes good sense.

I strongly recommend that users and organizations take a close look at their password strategy and make certain that you have a policy that works for you! Like I recently heard…Passwords are like underwear, you should change them regularly, keep them private and never show them to anyone!

FutureNet Group offers a broad range of solutions to protect businesses from a wide range of cyber-attacks including managed security services and cyber assessments to name just a few. We can also provide your organization with education to create awareness for your colleagues, senior management or decision makers. To contact us, call our main number 313.544.7111 or you can reach me directly at 727.410.8344 (raymondr@futurenetgroup.com) to discuss possible vulnerabilities and challenges your company may be facing and strategies we can employ to secure your business.

FutureNet Group has built a long term trusted relationships with organizations like the Department of Defense, many Federal agencies, and large corporate enterprises by providing a broad range of highly effective security solutions.