How Insecure Are Your Passwords?
August 10, 2017
IBA GroupMark HillaryCreating a secure environment for your information requires investment in technology and processes, but no matter how much you spend on systems it is your people that are the weakest link. Planning a secure information security strategy needs to include measures that fight social engineering and other methods used to steal data.The most basic problem that occurs in every company is password security. According to research published in Inc magazine, each valid email address has around 130 password-protected services associated with it. That’s a huge problem if each one of us has to remember hundreds of different passwords.The biggest problems are that people don’t change their password frequently and they often use the same password for many systems. The danger is obvious, but what should be done to make systems more secure when the real problem here is just user behaviour?Inc has five recommendations for better password security:1. Update passwords regularly; apply operating system settings that force your team to regularly change passwords and also enforce a change if you suspect that a system has been breached.2. Never reuse passwords; it’s a common mistake, but this practice creates system vulnerabilities.3. Use passphrases; long phrases are much more secure than a short password and often are easier to remember – use a favourite line from a book or movie for example.4. Multifactor security; for sensitive systems don’t rely on a single password – use a system that creates a temporary password or uses biometrics to add a second level of security.5. Never store passwords in plain text; files can be copied and unencrypted files full of passwords are easy to spot. Use a secure password storage system if you really cannot remember every password you need to use.This is good solid advice, but reality is that if each person has hundreds of passwords then they will almost certainly repeat them across systems. To really enforce information security inside a real company without ‘perfect’ people requires planning. I would advise the use of an enterprise-wide secure password management system so everyone is encouraged to use different passwords, but with the system to support them.In addition, biometric systems are not expensive and are now very common – look at how the Apple iPhone allows a user to unlock the phone using their fingerprint. Consider protecting your most important systems, those using customer data for example, with multiple layers of security and not just a password.A good password policy sounds simple, but enforcing good behaviour on users can be difficult. Use pragmatism and support your team so they can work securely.