Passwords are the bane of the IT department’s existence, and it’s no wonder. People handle passwords as if they’re business cards, not the keys to the kingdom. And hackers love weak password because they are a guarantee that whoever holds the password can walk right into your IT infrastructure and in some cases, do whatever they want to do.
The app environment isn’t making password management any easier. According to App Annie, the average person uses 30 apps a month on their smartphone; at least 9 of them daily. SMBs have instituted liberal bring your own device (BYOD) policies, so in many cases, those are the same smartphones or other mobile devices are used to access company data. And they all need passwords. The challenge is trusting your employees will use strong passwords to secure the devices, apps, and programs they’re using.
Why Passwords are Important
The reason that IT departments despise passwords and password policies is that they’re a lot of work. Users often don’t realize that in the hacking world, passwords are valuable currency. When a hacker discovers a password, they have access to a variety of sensitive company information including:
- Client or customer files and all the data they contain;
- Employee records, files, and associated data;
- Financial records and information;
- Corporate planning, projections, and communications;
- And (in some cases) network and IT infrastructure.
Despite the importance of passwords, many SMBs still struggle to develop and maintain solid password policies. Fortunately, times change. In August the National Institute of Standards and Technology (NIST) released new password recommendations (Special Publication 800-63B). They are recommendations, however history has shown that NIST recommendations typically become the basis of standards.
Within these recommendations NIST has stepped back from past suggestions that businesses require frequent password changes and from the advice that passwords should be complicated gibberish that includes both upper and lowercase letters, numbers, and symbols. According to NIST, these requirements make it difficult for employees to remember passwords. Frustrated users write down their passwords 49 percent of the time. They store them in digital documents 24 percent of the time, and most people only alter a password by one digit when a new password is required. This increases the risk from weak passwords.
New Password Requirements Don’t Mean Less Security
Although NIST recommends less stringent rules for creating passwords, the organization also suggests that companies should have authentication processes that include screening against a common list of frequently used passwords and storing user passwords in a safer manner by masking them.
It seems simple, but these changes equate to huge reductions in user frustration which means increased security. For example, users are so frustrated, 90 percent of them create passwords that are crackable within six hours, and 65 percent of people use the same password for personal and business access. Some of the most common passwords make up nearly 17 percent of the passwords according to Keeper Security, a password management vendor. They include:
The suggested changes to password requirements are designed to make it easier for users to create long passwords that are less discoverable.
New Password Best Practices
So, if the old password requirements are out, what are the new best practices? These updated password requirements favor the user and put the burden of protection on the organization. They include:
Create longer, simpler passwords
Users should create passwords that are a minimum of 8 characters long, but the requirement to use uppercase, lowercase, numbers, and symbols is removed. Instead, passwords should be all lowercase, random words that are easy for the user to remember but hard for others to guess.
An even better strategy is for users to create a password phrase by picturing a scene and then choosing four random words from that scene that are memorable. Users could also use a password generator and then create a mental image to help them remember the words.
Randomness is key
One of the most frequent mistakes that users make when creating passwords is to use familiar words, repetitive letters or numbers, or sequential characters. People also use their own name, the name of the application, company, or department they work with, or they use the names of their family members. These are often easy to guess. Instead, the key to simpler passwords is to use regular English words that are memorable.
It’s no longer suggested that users replace letters in common words with numbers, either. Again, this makes the password hard to remember and increases the likelihood it will be written down or stored somewhere accessible.
Still no shared passwords
In a study done by LastPass, 73 percent of respondents said sharing passwords was risky, yet 61 percent were still willing to share work passwords. It may be as simple as the wi-fi password, or the password to a shared application, but this behavior puts the SMBs at risk. Each user should have their own password, and in instances where it’s necessary to share passwords, a password reset should be required upon completion of the task.
User should still have more than one password
Using the same password for every application, program, device, and network a user must access is still a bad idea. Unique passwords are still necessary to create a layer of protection in case one password is discovered. If it’s the only password used, then the person that has it has access to everything. Users will still have to use multiple passwords, but if that’s a problem, a password manager is one of the best tools you can deploy for password security.
Password policies are required and must be enforced
One reason that passwords are a risk area for SMBs is a lack of password policies. According to a report produced by Keeper Security and the Ponemon institute, 59 percent of SMBs have no idea what their employees’ password practices and hygiene are. Even for companies that did have a password policy 65 percent of them did not enforce the policy.
SMBs must create and enforce password policies. Cyberattacks are on the rise, and once a criminal discovers a single password, your organization is at risk. Without the proper controls in place, there’s no way to know for sure if your IT infrastructure is safe.
If you don’t have a security program or you’re not sure that your current security policies are effective, contact Advanced Network Solutions. Our team of IT professionals can assess your current capabilities and help ensure that you’re protected from whatever risks might come your way.