This week we’re jumping around a little and diving into Step 5 of the Small Business Administration’s guidelines for defending your business against cyber threats—Use strong passwords and change them often to protect from external and insider threats.
Passwords are like some politicians. They might look complex and hardworking, but in reality, they’re just the same tired ideas stamped with a new year and any number of “!” tacked on to the end.
Unfortunately, the password, with its inherent flaws and liabilities, is often the one thin line of protection between your users, their data, and an Internet full of cybercriminals. It’s not fair, it’s not right, and the glazed look you’ll get from your users when you tell them the latest “complex password requirements” you’re implementing will provide unsuspecting admins a hard truth:
No matter how many digits you make them use, no matter how many special characters are required, and no matter how often you make them change it, the secure password—more often than not—isn’t.
That one crazy password thing you do that makes your CISO cry
Perhaps the most common problem with password security is that as our workplace and lives have grown increasingly digital, we’re finding that we’re needing to remember more and more passwords just to maintain access to our own personal information.
Need to make a credit card payment or check your balance? You need a password.
Have more than one credit card? You need multiple passwords.
Bank account? Password.
Need new ideas from Pinterest? PASSWORD.
In fact, the trend of “online overload” is getting worse with the average US consumer having more than 100 unique accounts associated with a single email address. Of course, each account must be secured, which means that each account needs a password—and that password better be complex. And you’d better not forget it, or we’re going to sic our friend CAPTCHA on you. We’re going to ask you questions about your mother’s maiden name and who your favorite grade school teacher was—thus creating more things to remember, and (perversely) more things we can inadvertently compromise to cybercriminals.
This overload leads people to do dumb things—and each of those dumb things creates security vulnerabilities that puts users and business data at risk. Here are just a few things that users do every day … and by “users” I’m really saying “all of us.”
- We are increasingly reusing the same password.
- When we’re not reusing that same password, we’re using simple increments to “trick” complex algorithms (password1, password2, password3 …).
- We’re not particularly clever at thinking up new passwords—and when we are, we forget them.
- We write passwords down on paper—even sticky-note them to our monitors.
- We keep them in a text file—in plain text—on Dropbox or Google Drive.
Password reuse is perhaps one of the most troubling trends that comes with online account overload. After all, if a cybercriminal compromises one account, and matches the cracked password to an email address, it’s an incredibly simple exercise for them to try the combination on dozens, or even hundreds, of online accounts until they find what they’re looking for. Worse yet, they can take these credentials and sell them to other criminals that spend their time combing through metadata about who we are and how we live, which leads to more complex losses of identity that compromise lives and livelihoods.
So what does Dumbledore have to do with it?
First off, in a world of increasingly complex security requirements, the traditional text-based user name and password combination just isn’t enough. Newer technology such as multi-factor authentication using smart cards or biometrics will rapidly start becoming the norm—creating new and increasingly fun ways to make the entire process even more tedious and difficult! There are simply too many parts of our lives that we want to access online, and the data is just too sensitive to trust to fallible human memory and bad politician password protection methodologies.
In the meantime—while we are stuck with the fallible human memory as our main security system—knowledge is power. Work with your employees and managers to teach them why strong passwords are important, and why—even today—the need to change passwords regularly is still a necessary (if annoying) requirement. It’s important to demonstrate to your users how dangerous bad password practices can be. Show how one compromised credential can cascade through their lives, ruining bank balances, destroying credit ratings, and opening them up to legal problems and liability.
While you’re scaring them with this reality, take the opportunity to teach them something about good security practices for their online behavior. Show them how Internet hucksters and criminals can use social media sites to surreptitiously farm their personal data using those famous Facebook “quizzes.”
They’ll ask you, “Do you want to know what Harry Potter character you’re most like?” Just tell them your age, your favorite color, your first pet’s name, and your favorite food.
Now, do you notice anything about the information they want? Have you ever wondered how your favorite color or your first pet’s name could help the Sorting Hat figure out which Hogwarts house you belong to?
The answer: It doesn’t—but this information is extremely useful for a cybercriminal trying to gain access to your personal accounts by hacking your security questions.
Strong passwords will not save the day, but they do help prevent insider threats
As usual, the solution is multilayered. Strong passwords help, smart online behavior helps, good security processes and procedures reinforced by world-class small business security software like LanScope Cat *help*. No one solution will fix everything, but smart people with good tools and training can make your organization a much harder target.