Passwords are the lifeblood of the IT industry. Everything has a password to access services, applications, or even devices.
So why, if everything we use demands one, are we all so terrible at password discipline? And why don't more companies have password management measures in place?
Regularly, surveys and reports suggest that too many people use the same usernames and passwords for virtually everything we access, from our eBay accounts, to our corporate invoicing and financing accounts, and from dating websites, to customer databases.
Indeed, other surveys reveal too many of us still use "password", our children's names, or family pet name as a password. A colleague, just last week, was at a local business that used "ABCDE12345" as its wifi password. Not good practices.
It is a cybercriminal's dream-come-true. He or she knows that if only one password is cracked, a whole other world of opportunities opens up, even within strongly defended business networks.
Criminals have known for years that people are the weakest link in any organizations' defenses, and that by cracking one person's account, they can effectively crack the multi-million dollar software and hardware investments.
Employees who have reused corporate emails and passwords for personal use can put their employers at risk of account takeovers, credential stuffing and extortion attempts.
The thing is, it is all so unnecessary with freely available password vaults that encrypt and protect both password and usernames from hackers. Two- and three-factor authentication that requires not only a password and username, but also something that only that user has on them, e.g. a piece of information only they should know or have immediately on hand - such as a physical token or mobile phone authentication application.
Using a username and password together with a piece of information that only the user knows makes it harder for potential intruders to gain access and steal that person's personal data or identity.
We are in the business of making it as tough as we can for the attackers, and to do that we must learn to manage our password and usernames in a professional and responsible manner.
Simple best practices are:
- Establish a policy for which external services and applications are allowed to be associated to corporate email accounts.
- Understand and monitor approved external services for password policies and formats to understand the risks and lowest common denominators.
- Proactively monitor for credential dumps relevant to your organization's accounts and evaluate these dumps to determine if the dumps are new or have been previously leaked, in which case you may have already addressed the matter.
- If you have any user behavior analytics capabilities, import compromised identity information and look for any suspicious activity (e.g., accessing resources that have not been accessed in the past.)
- Update security awareness training to include the risks associated with password reuse.
- Encourage staff to use consumer password management tools like 1Password or LastPass to also manage personal account credentials.
Until retina or fingerprint scanning, or any other security process becomes a regular feature in IT and replaces the password, we as employees need to take control of online habits and maintain password discipline. Our employers in turn need to be more proactive on their cyber defenses and ensure the set policies, monitor activities, and educate employees. Then maybe we will begin to see a reduction in incidents of data breaches and other hacks.