For a Baltimore area religious order, it took no time at all to crack their passwords, because members had stored them in the nifty Password section of this paper planner. When one member left it behind at church, it somehow got into the hands of, let’s call him a “less devout” person, and it wasn’t long before that religious institution was hacked.
Even for the more digital savvy, it’s increasingly difficult to outwit the hackers. You can no longer throw in a # sign for the letter “e” or an @ sign for the letter “a” and expect to outwit cyber criminals. Not long ago, it would take just two months to crack “p@$$word”. Now hackers using automated software to systematically check all possible passwords and phrases can break this password in a fraction of the time. This password- cracking approach is called a brute force attack.
Eight-character passwords are on their way out
Guidelines issued by the National Institute of Standards and Training (NIST) say passwords should be at least eight characters long, but like all things cyber, online risks are a fast-moving target. A hacker on Slashdot, a social news site that bills itself as “News for Nerds”, wrote “the eight-character password is dead” for organizations that rely on Windows and Active Directory, included in most Windows Server operating systems.
A better bet may be to go with gibberish. Pick a long, complex combination of characters or a string of unconnected words, as illustrated by the comic, https://xkcd.com/936/.
Password managers are different for business
The first Thursday in May, which happens to be today, has been designated World Password Day, so layer up that login and make sure you’ve securely stored those passwords in a good password manager. CNET’s 2019 directory of password managers provides a number of options that cost between $12.00 to $40.00 and are good choices for individuals. For businesses, however, password risk mitigation is a bit more complex.
Today, many employees’ jobs require that they manage company login credentials to access vendors, customer portals, banks, and industry resources. What happens when one of these employees leaves? Do you know all the passwords they were using? How do you know they can’t use those credentials after they leave? Your IT systems administrator needs to be able to manage access to those portals to protect your company from this risk and liability. And what if the person leaving IS the systems administrator? That warrants a conversation with a security consultant, like us.
Did your password make the worst password list?
We caution against relying on employees to choose their own passwords. Bad habits die hard. SplashData’s 100 Worst Passwords of 2018 shows that people are still using predictable, easy to guess passwords that would quickly put your organization at risk. Not just “123456”, “11111”, or “password”, but “movie names, sports, car brands and new last year, “Donald”.
An easy risk mitigation strategy
We recommend and implement business grade password managers and password portals, preferably with automatic password generators that manage the password function for the organization. They are one component of a password strategy that is nearly as important as your business strategy. After all, you won’t need a business strategy if a hacker cracks a password and takes control of your IT systems. Then you will need a disaster recovery plan – and a lot more.