Passwords. They’ve been an integral part of information security since the dawn of computers – and they have been the bane of users’ lives for almost as long. We’ve all experienced the difficulties of trying to remember a dozen or more different passwords for different applications and devices, only to have to change them as soon as we’ve got it down. And, of course, we’ve all read headlines announcing mass username and password thefts from major companies.
Globally, it seems we’re still getting password practice wrong. The recent Verizon Data Breach Investigations Report (DBIR), which analyzes the types and frequencies of security incidents worldwide over the previous year, found that 63% of confirmed data breaches capitalized on weak, default or stolen passwords. Clearly, the majority of employees and businesses still can’t – or won’t – follow effective password practices.
What, then, can businesses do to make their password practices more secure? Today (5th May) is the fourth annual World Password Day, which aims to raise international awareness of good password practice.
World Password Day’s advice follows four basic principles:
- Create strong passwords.
- Use a different password for each account.
- Get a password manager.
- Use multi-factor authentication.
This all makes good sense, and supports advice from our CTO, Professor Avishai Wool, who recommends that in today’s world you should write down your passwords! In fact, a smartphone with a sophisticated password management application – of which there are plenty available to run on both iOS and Android – is one of the safest places you can store a list of passwords, because it’s with you all the time. Should your smartphone be lost or stolen, simply ensure you can remotely wipe the list.
We would also like to see organizations move on from requiring users to automatically change their password after a fixed period, and move to a more proactive strategy of testing users’ passwords against an automated password cracker. That way, if a password is breakable then the user can be asked to strengthen it, but those users who have managed to set (and safely store and remember!) a super-strong password can continue using it. This is a far more user-centric approach, and helps make it easier, not harder, for employees to follow good password practice.
There’s also the issue of default passwords on networking and security equipment including firewalls. All too often, individuals and organizations fail to change the default passwords – handing hackers a key that could open the door to their networks. We strongly recommend that organizations check on their enterprise firewalls as soon as possible. In fact most regulations, including PCI-DSS, require default passwords to be changed as soon as the device is installed (AlgoSec’s risk report will automatically detect and flag if default passwords are used on your network security devices).
World Password Day provides a useful reminder of two key actions for businesses. The first is to make it easier, not harder, for employees to follow good password practices. Absolutely make it part of your policy that a different, strong password should be used for every account – and use password management applications to make it easy for employees to do this and enable remote wipe software for when they forget or lose their devices.
The second action is to ensure that no default passwords are used anywhere on your network – whether on firewalls, routers or individual users’ machines. Don’t offer cyber criminals an open invitation to enter your enterprise!