Ah, the password. It’s been a mainstay in IT security for decades, but are you treating it as a necessary evil to be worked around or maximizing its value in your security practices? Here are signs you’ve got some work to do:
People Share Accounts and/or Passwords
There are several reasons why you should require every single user to have a unique login, beginning with password sharing – you’re defeating the purpose of the password. If a password is common knowledge around the office and living on Post-Its stuck to monitors, basically anyone who comes in can log in, not just employees.
Additionally, you’re depriving yourself of the all-important audit trails and changelogs you may need to know who accessed what or who deleted something. You are also unable to set varying permissions per user. Are your sensitive accounting or intellectual property files accessible to everyone and vulnerable to deletion or being shared?
One Password for Everything (Bonus Points If It’s “Admin”)
When I said, “bonus points,” I really meant bonus negative points. Again, if a bad actor can find out your password for one account, he will try to use it to hack other accounts. Use a password generator – most password management tools offer it – or you could set up a pattern to tweak each password enough by login site so you can remember the variations.
No Complex Passwords
A complex password these days should be about 12 characters with a random smattering of symbols and numbers. This is because password cracking software continues to become more sophisticated and faster. Noncomplex passwords can be cracked in a matter of minutes.
There Aren’t Account Lockout Limits
This goes hand in hand with the above. Those password cracking tools I mentioned? They brute force access to your computers or servers by trying random password combinations over and over again, thousands of times per minute. If you have a lockout limit, you can prevent these types of attacks.
No Multi-Factor Authentication (MFA)
We cover how all this works and why it’s important in the second half of this article, but here’s the basic idea: an unscrupulous person may get access to your password but would be stopped by MFA because it requires a second action to log in. On top of a password, you would be asked to key in an ever-changing code from an authentication app or to use a biometric variable like your fingerprint.
We’ve had clients whose email accounts have been compromised by someone in Russia who was requesting bank wire transfers unchecked. Thousands of dollars lost. If these victims had MFA in place, the hacker wouldn’t have been able to log in with just the password and this would all have been avoided.