It’s safe to say that most users rely on hundreds of passwords to access their devices, websites and apps. Few will remember these passwords, unless of course they are in the habit of using the same password for multiple logins–a big security no-no. For years, security pros have emphasised the need for different passwords, as identical passwords make it way too easy for hackers. If they obtain one password and it’s also used in to access online banking, for example, your resulting zero balance is to be expected.
Let’s call it a rule–never use the same password twice, or variants of it.
Some of you may think this is obvious and I do agree but according to the UK’s National Cyber Security Centre, in collaboration with Troy Hunt (a Microsoft regional director), the password ‘123456’ has been detected 23 million times in the breaches collected. They’ve also published a top 100,000 list of most frequently used passwords… ‘qwerty’ and ‘password’ are also in the top five.
Change User Habits
Network administrators cannot assume that users will select secure passwords, making it necessary to enforce password policies, with rules for password selection. These rules should include but are not limited to:
- No passwords based on keyboard layout–such as ‘qwerty’ or ‘123456’
- None based on names of family members, employers, pets, birthdays or favourites–‘walle’, ‘pokemon’, ‘liverpool’–hackers will use social engineering to find likely passwords and your love of Metallica leads to an easy password hack.
- No real words, regardless of language–hackers can check against entire dictionaries in minutes.
- Avoid short passwords that are easily remembered–where possible my own passwords exceed 20 characters.
- Change passwords from time to time – perhaps once every month or at least four times each year.
Obviously, adopting a new complex password strategy requires some form of management. How will this be achieved?
Storing Complex Passwords for Easy Retrieval
I’ve thought it about this for some time and believe there is no single solution, as it will depend on budget, company size and level of security awareness. A big no-no is writing passwords on post-its and sticking to your monitor or in your wallet. How about Excel or MS Word? Sure, it could be used but if the Excel file is unprotected then all passwords are visible once accessed by a hacker.
BYOI (bring your own identity) is one option but I believe it’s only effective if two-factor authentication is employed to verify the user (by sending a code via SMS, for example). In such an environment, all passwords are stored in the cloud, needing one login password to access all others. With the global identity and access management market predicted to reach more than US$22 billion by 2025, such solutions may only be viable for the middle market and enterprises.
How about secure login via social media platforms or search engines such as Google? I’m not really interested in sharing more data with global giants but the decision is yours.
Password mangers are often touted as a solution to password bloat and I do find them useful. However, they also have weaknesses, some of them caused by the OS used preventing security processes from completing, as indicated by the Washington Post.
I use one (not disclosing which) but I store my password file and token (required to access the password file) on a memory stick. When I need a password, I insert the memory stick, perform the required action and remove it immediately afterwards. I wear the memory stick around my neck so apart from a violent attack or removal from ‘my cold dead hands,’ I believe my data is quite safe. I avoid all related cloud-based services and rely solely on the memory stick – with a secure backup in a fireproof safe.
The most useful feature of password managers is the inbuilt password generator tool – I recommend at least 20 characters, including special characters, alphanumeric and underlines for all passwords, especially ones involving financial or medical data.
Company and Personal Data
While I’m not advocating a choice for password management, there are many options available and segregation of personal and company data must be part of any password management policy. BYOD (bring your own device) can complicate matters but any effective strategy must also include device encryption and partitioning to separate personal data. If an employee leaves the company, remote erasure of all company data, including passwords, must be possible, without disturbing the user’s personal photos and other files.
According to research from the Ponemon Institute and sponsored by Yubico, The 2019 State of Password and Authentication Security Behaviors Report stated that while 66% of those surveyed agree that it’s very important to protect passwords, 51% believe they are too difficult to manage. Both parties have a point. Managing passwords is a chore but weigh the inconvenience against the costs of a breach, not just financial but reputational.
In conclusion, I’ve outlined some suggestions for password management. It’s up to you to decide how you will enforce a password policy and how it will be rolled out effectively. Enhancing staff awareness is a given but what methods will you use to ensure all employee passwords are secure and are changed regularly? Two-factor authentication is worth considering but do the added costs and IT resources outweigh the benefits? After some brainstorming with IT and executive stakeholders, you’ll be able to choose the best path for password security, one that will at least slow down persistent hackers. Best of luck.
Michael O’Dwyer is a Hong Kong-based business and technology journalist, independent consultant and writer whose stories have appeared on Forbes.com, The Street, IBM’s Midsize Insider, HP’S Pulse of IT, Dell’s Tech Page One and other IT portals, typically covering areas where business and technology intersect. He writes for both US and UK audiences and acts as a technology and open source advocate. Twitter: @MJODWYERHK