Weak or stolen passwords are the first point of entry for 80% of breaches, so it’s critical enterprises get a handle on their password management.
Building an effective password policy can be a challenge for enterprises, because of the need to be able to balance security against convenience. Lean too much towards convenience and you will likely lose security. On the other hand, lean too much towards security and no one will adhere to it.
Regardless of that, effective password is essential when you’re managing IT networks. In its 2016 Data Breach Investigations Report, Verizon stated that, “63% of confirmed data breaches involved leveraging weak, stolen, or default passwords.” In 2017, Verizon suggested that figure had risen to 81%. In spite of this, users often fail to see the importance of frequently changed, complex passwords – possibly because it is not properly communicated to them. Here are three simple things that should help put the need for passwords into perspective:
- Network Security – Weak passwords mean the bad guys have an easy way into the company infrastructure.
- Accountability – User authentication allows the IT department to track who has done what on company systems. Password security needs to be taken seriously, otherwise you can’t be sure that staff members aren’t using each other’s passwords, which could lead to people being accused of things they haven’t done.
- Internal Confidentiality – Data breaches can result from little more than a password being roundly known by people, either because someone has shared it or because they have left it on a “Post-it” note attached to their monitor.
Once you’ve convinced your staff they need to take password management seriously, here are some best practice tips to help you set a solid enterprise password management policy.
Complexity is good, change maybe not so
In this case, complex means long and random. Most systems ask for a minimum eight-character password, however it’s worth bearing in mind that even if this password includes upper case, lower case, numbers and special characters a supercomputer or botnet could crack this in around four hours – so if someone wanted to break the password they could. Up that to 10 characters, and that figures rises to three years, with the additional permutations. If you push that up to 16, then you can be pretty certain it’s going to take a VERY long time for anyone to hack your password.
As we intimated, there needs to be a mixture of upper and lower case, alphanumeric and special characters. But you should warn people against being tempted to just do anything like changing “Star Wars A New Hope” to “5!@rW@r5An3wh0p3” – certainly for business critical systems. While it’s a lot better than a dictionary word it’s still not random. The best passwords are created using a genuine random password generator, and these should definitely be used to create your business critical application passwords. For those needing access to multiple systems, like IT admins, using an enterprise-grade password management solution will ensure they can still easily access what they need.
Many companies set regular password changing policies at 30, 60 or 90 days. While it’s the accepted norm this isn’t necessarily a good thing. According to the UK’s Information Commissioner’s Office (ICO) says: “You should only set password expirations if they are absolutely necessary for your particular circumstances. Regular expiry often causes people to change a single strong password for a series of weak passwords. As a general rule, get your users to create a strong initial password and only change them if there are pressing reasons, such as a personal data breach.” (https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/passwords-in-online-services/)
Use two-factor authentication (2FA) wherever you can
Put simply, not relying purely on single passwords for protection is a good thing. Implementing 2FA, gives a layered approach removing the dangers of a single point of failure. Also, by adding the ability to apply a token, whether it’s through hardware or via a code-generating app, you introduce a device that the user has into the access equation, alongside something they know (the password).
Don’t set your policy in stone
As you can tell from the ICO guidance on passwords above, the thinking on passwords changes. So, your policy should be able to change too. Make sure it is dynamic and can change with times. This means it needs to be both event and intelligence driven.
You should not be in a position where you are to update it as and when required. Equally, don’t be afraid to let all staff members know when it has been changed (and even when it hasn’t). There is no point in having a policy if no one knows about it. So make sure you are educating staff throughout the company – including the board. Password policy applies to everyone.