A Password Intervention
“Don’t feel bad Sam, you’re not alone, we’ve all been there. The important thing is you asked for help before anyone got hurt.” If this sounds like an intervention…, it is. Luckily, Small Business Sam shouldn’t need to go to alcohol or drug treatment, and the problem can be managed in far fewer than 12 steps.
The Problem: Policy
So you guessed it, Sam’s problem, it’s a cybersecurity problem.
His password—the ever creative Password1—was hacked, and it’s been a bad day at the office for Sam.
Well, in case you don’t relish keeping up with all the uber geeky, trending cybersecurity stats (as we’ve sadly come to realize—mostly during small talk at cocktail parties where our conversation partner has long since dozed off before we finished speaking—that not everyone finds cybersecurity breeches as riveting as we do), here’s the good news. 81% of hacking related breaches stem from stolen, or weak passwords. Yes, that IS good news. We have identified the problem.
Or have we…?
65% of small businesses have no ability to audit/enforce any password policy, so though we’ve identified the problem, we’ve also unearthed a bigger one for Sam and his business
What to do: Policy
Step 1 - Have a policy. I know, I know, the earth-shattering stuff comes later, but based on both the numbers and experience, if you have less than 500 employees, you probably don’t have a password policy, and you likely don’t have the ability to enforce one.
Step 2 – Eliminate policies that don’t work. Get ready for the tectonic shift…are you ready? Despite almost a decade of being the mainstay of password policy, you now have permission to throw out the two policies that you and your employees hate most,
A. complexity rules (one uppercase letter, one lowercase Greek letter, one prime number, and one pseudo-random hand gesture),
B. password expiration policy (requiring employees to change their password every 30, 60, 90 days). As both you and your employees both hate the pain caused by these policies, you find ways around them and inherently make actual passwords less secure.
Step 3 – Empower users creativity. Allow long passphrases (64+ characters) as well as spaces. It is much easier to remember, “This is my password there are many like it but this one is mine”, than it is to remember, “Wtf1zITf@%Kbl@H,” right?
Step 4 - Enable Time-based Two-Factor Authentication (2FA). Requiring a time-limited password sent via email or text-message can be implemented at minimal cost…FREE. Additionally, I know of no better, or easier way (shy of disconnecting it from the network) to secure a device or service than 2FA. Two potential options include Google Authenticator (proprietary), or Authy (open-source). Whether these or another product, look to RFC 6248 for industry-standard minimum specs before implementation.
Step 5 – Audit Passwords. By regularly (annually to start and working up quarterly) auditing passwords, you can protect your employees against both the outside threat, and themselves. You can use FREE (again, who can beat free?), security tools such as Cain and Able or Ophcrack to test the strength of passwords. Also, you can use the subsequent list to stay abreast of the most popular bad passwords to add to your favorite password tool’s dictionary.
Step 6 - What NEVER to do: NEVER allow these top 10 most popular insecure passwords!!!
Step 7 – Declare victory. Password policies, good phrasing, and happy employees keeping your business secure means that now both you and Sam can sleep well at night knowing that you are among the elite of small businesses. And, as promised, you are well shy of the 12-steps you were expecting for the big recovery.
You now have a working password policy.
Users will not actively work to subvert the policy, they may even proactively improve their passwords given the new latitude and prompting.
And finally, if they don’t you have the tools to objectively audit their password’s strength without compromising their password privacy. I encourage you to contact me, or any of the cybersecurity professionals here at Open Security.
Subscribe to our blog to keep up with my easy and free tips to help keep your business secure. Next week I’ll share how to keep track of all of your passwords WITHOUT having to maintain that security timebomb spreadsheet on your network or in Google Drive called “Passwords!”
2017 Verizon DBIR: https://staysafeonline.org/cybersecure-business/
NIST SP 800-63-3B: https://pages.nist.gov/800-63-3/sp800-63b.html#sec10
IETF RFC6238: https://tools.ietf.org/html/rfc6238