Anytime a system gets hacked the first thing we’re told to do is “change your password”. Following through with this advice is a smart move since it prevents stolen information from being used to gain access to users’ accounts. However, there is a challenge that arises in implementing this solution: the user.
While most large scale security breaches are from external attacks, the user of a system can create large and devastating security vulnerabilities. These largely stem from how users implement your system’s password requirements and their own bad habits in creating/managing their passwords.
The bad habits of your users can come back to haunt you, especially if it endangers your organizations legal obligations. Recently, the US Department of Health and Human Services fined “New York Presbyterian Hospital and Columbia University Medical Center $4.8 million for the disclosure of nearly 7,000 medical records because of lax technical safeguards” (Boston Globe).
Weak passwords make hacking easier. Ask yourself, “Is not having a password policy worth being fined over?” No, it’s not. If your organization handles documents and information that needs to be secured and stored electronically then you should begin implementing a password policy.
Here are 3 things to consider when creating a password policy:
1. Long/Strong Passwords
We’re all use to using passwords. Nearly every device, service, or system we use requires a password and creating one is typically the first step in gaining access. With hacking on the rise, more systems require what’s known as a long/strong password – something that’s over 8 characters, has a number, a capital letter, a special character if you’re lucky, and isn’t easily guessed.
Creating a good long/strong password can be difficult and users will usually create a password 1 of 3 ways:
1. They create a simple and easy to remember password that meets the length requirement – typically something personal.
2. They use the same password that’s used for their other logins – maybe adding some numbers.
3. They make a complex long/strong password and have trouble remembering it – so they write it down.
The problem with simple passwords is that they’re easy to guess. All a hacker needs to gain access is some personal information about the user, which can easily be obtained through their social media accounts. Worse yet, the user might unwittingly give it away to an unknown caller.
A similar problem occurs with using the same password over and over. They’re usually simple passwords that are easy to guess and poorly thought out. Even worse is that once a hacker has that password, they can gain access to a user’s other accounts.
Finally, many people who create well thought-out long/strong passwords write them down so that they don’t forget. Although this may make it easier to remember, the password is usually written down on a post-it note or other open piece of paper then stuck on a monitor or placed under a keyboard. Great password, but not a secure one.
Plus, if a user can’t remember their password, how can they be expected to change it?
2. Two Factor Authentication
When passwords become an issue, people jump to two factor authentication. It’s more secure in a way – you can’t just log in with a username or password. You have to provide an additional piece of information.
However, most of what I see are systems that will send a code via text that you’ll enter in the second stage of the login. (The same process is used for changing forgotten passwords.) In the B2B world, workers don’t want to provide their personal phone numbers out of fear that the software company will track and sell their information.
Gee! I wonder why they have this fear. Think of Facebook, LinkedIn, Yahoo, and Google. They all gather your info, which you’ve most likely given voluntarily, and sell it – literally spreading your personal info around the world.
The other downside to this method is the inability to guarantee text messages reach the intended person. If a person doesn’t have cell service when the message is sent out, then that person may never receive the message. What if I have your phone? Then I get the text message, not you. Maybe you forgot the password to your phone and are unable to unlock it to read the text message.
3. Automated Lock Out
Another common solution is an automated lock out of an account after a certain number of failed login attempts. However, this feature usually gets turned off after 6 months due to a company’s IT not having the resources to keep unlocking accounts all of the time.
I once witnessed a person forgetting his password 15 times over a two week period. IT had to unlock his account every one of those times.
Teach Your Users Best Password Practices
Teaching people best password management practices can go a long way. People can’t change passwords they don’t remember and there’s no point in having a password if you’re going to keep it out in the open.
Always Teach Users To:
- Log out of systems they’re not using.
- Not write down their passwords (if they do, make sure they’re kept in a secure location).
- Take the time and consider a strong/long password that they can remember.
It’s a constant effort to continually improve and close holes in security – just make sure your users aren’t one of them.
