We know that eating healthy and exercising more can help maintain a healthy weight, yet why do so many of us avoid doing it? The same question could be asked of setting up strong passwords. Many companies are ‘not’ choosing strong passwords—yet we ‘know’ passwords are critical to the protection of both our workplace and personal data. A recent study on the psychology of passwords shows that:
- 91% of respondents knew there was a risk associated with reusing passwords, yet 61% reused the same or similar passwords anyway.
- 39% of respondents said they create more secure passwords for their personal accounts than they do for their work accounts.
- Most people change their passwords because they can’t remember them—not because of security reasons.
Unfortunately, cybercriminals are good at preying on our weaknesses—and small and medium sized businesses (SMBs) continue to be a leading, and growing, target. A September 2017 report by the independent Ponemon Institute says, “The risk of a cyberattack is increasing for companies of all sizes and industries when compared to last year. More than 61% of SMBs have been breached in the last 12 months vs 55% in 2016.
Sloppy passwords open doors to cybercriminals. Yet, personality studies show people still tend to choose easy to remember passwords. How can the fear of forgetting a password override the fear of getting hacked? How do users pick passwords? Which passwords, business or personal, do people consider more important?
Knowing what’s behind password choices could help change behavior.
The psychology study of passwords showed that, "Most admit to knowing better, but still implement poor choices and tactics in creating and managing passwords for their digital lives. Knowing the right thing to do and actually doing the right thing are separate discussions when it comes to password habits."
Breaking down the study further, it found that 63% of breaches in 2016 used weak, default or stolen passwords. Most of these passwords, 82%, used a combination of letters, numbers and symbols that were all too familiar like:
- Initials, or friends or family names (47%)
- Significant dates and numbers (42%)
- Pet names (26%)
- Birthdays (21%)
- Hometown (14%)
- School names or mascots (13%)
Devices like laptops, smartphones and tablets are connected to our workplace, banks, vendors and many other places we interact with day-to-day. A single device can have multiple users, each with their own password. Having an administrator for multi-user devices is important to manage all the users and make modifications in the software if needed. If that’s not possible, you may want to consider partnering with a security service provider.
Create ‘strong’ passwords that are easier to remember.
One of the latest tips is to think of a phrase you won’t forget like, ‘Do not be late for dinner tonight.’ Your password could look like this, DNbl4d2n. While new options for creating passwords are breaking ground, conventional wisdom still holds:
- Don’t make passwords easy to guess by using personal information such as your name or pet’s name. (Personal information can be easy to find on social networking.)
- Avoid common words that are easy to guess.
- Get creative by using deliberate misspellings like PH for ‘f’.
- Use different passwords for different accounts and devices so that if attackers guess one password, they won’t have access to other accounts.
- Use multi-factor authentication—also called two-factor authentication—most simply explained as using two different pieces of evidence when logging into accounts. Familiar examples include entering a PIN (personal ID number) or logging into a website that asks for a numeric code to your phone to gain access to an account. The additional layer of recognition makes breaking into your account much more difficult for hackers. (Use of another password is ‘not’ considered multi-factor.)
Review and update corporate policies for password best practices.
Outdated corporate policies leave systems open to breaches. Managed security professionals, Homeland Security and many other experts in the industry give strong and repeated emphasis on the importance of enforcing strong corporate policies.
Windows Server enables ‘best practices’ by providing for:
- Complexity--Setting a minimum number of password characters. (At least 8 – 14 characters)
- Enforcement—Controlling use of passwords. (Window Server 2008 notifies users when the password expiration date is approaching. Anytime it’s less than 30 days away, users see a warning when they log on and are notified to change their password within a specific number of days. Settings can also prevent users from switching back to old or weak passwords.)
- Lockouts—Assures that user accounts automatically ‘lock out’ when a certain number of bad passwords are entered. (The number is determined by a domain administrator.)
- Granularity—With all versions since Windows Server 2008 the ability to separate password policies to different sections of the business. Creating policies like these will enable businesses to enforce more than one policy. We are past the days of a one policy is good for all approach.
Staying current on password best practices takes diligence. The alternative could be a potential breach that takes time and resources to put your business back in the good graces of your customers.
Strong passwords are ‘still’ your first line of defense.
Beyond passwords, there are many more security options that put the “Hackers Not Welcome” sign on your system. Managed security experts are providing those options, and small to medium size businesses are finding these services are substantially mitigating their risk of breaches.
But, even with the best security in place, a business that does not require strong passwords is putting itself at risk. If you have any question on how to secure your password policies reach out to a managed security provider to get an outsider’s opinion. And remember, while strong password requirements are rarely popular amongst employees, they are your last line of defense against hackers. Don’t let your company be an easy target!