Yes, the passwords users choose *really* matters

Earlier this month, we celebrated that little-known tribute day known as World Password Day.

Responsible security organizations should use this opportunity to share best practice advice to help people understand just how darn easy it is for fraudsters to cause havoc if they can access privileged accounts authorized to change, edit and delete files, settings, apps or data.

Sadly, it seems that it is also a day where marketing people, who might be less au fait with cybersecurity, scramble out of their shells to jump on the World Password Day bandwagon. The Register made a bit of a stink about it, as they rightly should have. One communication the tech publication received was from the wireless lobbying organization, CTIA,  which reported outdated advice, such as users should remember to change  passwords “frequently”.

This is always frustrating for organizations like ours. We are utterly convinced that password health is vitally important to organizations. Over and over again, we see the weakest link being users with access to powerful applications and information, who haven’t a clue that they are effectively holding a master key to the castle.

Last week Twitter had to advise all 330 million users to change passwords because a bug caused them to be revealed in plain text.

Just last January 2018, two major security vulnerabilities, Meltdown and Spectre, came to the forefront of everyone’s attention. The vulnerabilities made it possible for attackers to steal any machine processed data, including passwords and sensitive documents.

Verizon April 2018 report agrees that weak passwords are a problem: 

“Not surprisingly, using stolen credentials topped the list of causes for data breaches.  A common saying is ‘It’s easier to ask the employee for their password than try to guess it’, so social engineering continues to be a very successful tactic for hackers.  For most employees the only security protecting access is a password, and once the cyber criminal has it they can easily bypass most companies security controls.”

And even “McAfee blamed users re-using the same passwords across a range of platforms, suggesting that the way forward for successful security is for businesses to educate employees about the basics…”

Advice about reducing your risk exposure

While biometrics and other mechanisms are being developed to replace the need for this type of authentication, passwords ain’t disappearing anytime soon. So here is TBG Security’s top recommended advice for passwords best practice right now:

• Change all default or provided passwords (admin or otherwise) for network equipment
• Create and enforce a strong up-to-date password policy
• Communicate the password policy widely
• Create training schedules to inform and educate all internal users about your requirements
• Store passwords securely, and that means salting and hashing them
• Set difficult to crack passwords requirements for users
• Consider adopting a policy for a reputable cloud-based corporate passwords manager (Seek professional guidance if you choose this path)
• Perform regular penetration and vulnerability tests to check for bugs, unsafe settings and intrusions (See our free pen test advice here)
• Educate users regularly through various communications means their responsibility of safeguarding the data and the systems

How TBG Security can help

If you would like more guidance for just would like to chat about next info security steps regarding passwords, get in touch. We are here to help. We pride ourselves in providing practical, expert and efficient advice.

TBG Security provides quality penetration tests and risk assessments tailored to your specific needs. Whether you are a governing body, a financial institution, an insurer, a legal or accountancy firm, or a online provider, we can help.