Too many businesses are lazy about passwords and risk being hacked. They are in danger of losing vital data and badly damaging their reputation.
There are numerous examples of companies failing to adopt strict password protocols simply because it’s too complicated and people can’t be bothered.
Gary Jowett from CNC in Brighton says: “Gone are the days when you would simply walk into your neighbour’s house through an unlocked door. Now everyone applies locks and bolts and alarm systems to their homes. This security is complicated but we do it because we know it’s necessary. It’s the same with passwords for accessing your IT systems. If your passwords are too easy to guess, then it’s like a door lock that’s easy to pick.”
Two-factor authentication is best
All passwords need to be at least six characters long and contain three of the following groups – lowercase letters, uppercase letters, numerals and symbols. Ideally, companies should also adopt two-factor authentication where possible. Common types used at the moment are SMS messages sent to mobile phones with unique codes and also authentication keys – small devices with constantly changing codes which must be used in addition to the password.
“It may seem a bit of a chore but, until new safer techniques are developed to replace passwords, it’s vital that you change them frequently and make sure they are complex,” explained Gary. “There should be an established company policy about this which applies to all employees – because anyone who has access to your systems is a potential chink in your armour if their password is easy to guess. Also make sure anyone who has just left the company no longer has access to your systems. Their user access permissions should be terminated immediately they leave.”
Hackers are determined
Guessing passwords is only one of the many ways hackers can get through the door. They often employ much more relentless and determined methods. Microsoft has highlighted the range of methods used.
Online and Offline Dictionary Attacks are two common techniques. For the online version, the attacker will use an automated program which includes a text file of words. The hacker will attempt to repeatedly log-on to the system using a different word from the text file each time an attempt is made. The offline version is where the attacker gets a copy of user accounts from your organisation and uses an automated program to tease-out what the password is for each account. It doesn’t take long usually.
The need for a strong password is made crystal clear by all the recent breaches affecting major companies such as TalkTalk and Yahoo.
Don’t blame anyone else
Perhaps the most high-profile case recently was Yahoo which claimed a “state-sponsored actor” was to blame for the theft of 500 million accounts. Some experts, like Bruce Schneier, point out that blaming someone else really just means an organisation is actually just saying: please don’t blame us for our shoddy security.
“If you are a senior executive, It’s your responsibility to keep your company secure, so don’t wait for the worst to happen,” added Gary. “Failure to use strong passwords risks the loss of confidential data, the theft of company funds and long-term damage to your brand and reputation.”