Huge Credential Leak Underscores Need to Protect Passwords, Login IDs

By Wayne Rash  |  Posted 2016-05-07 Print this article Print
Pwned Passwords

The card is used for building access and for access to data systems when inserted into a card reader attached to or installed in a worker's computer. For computer uses, once the card is inserted into the reader, the user is then required to type in a PIN (personal identification number) code to gain access to the network.

By now you're thinking that such security systems might be fine for the government, but what about a small business? Fortunately, access control systems are available for businesses of all sizes and types. They may not all be smartcard systems like those in the government, but multifactor authentication doesn't require government-scale resources to implement.

For example, if you've got a reasonably new Apple iOS device, then you've got access to fingerprint recognition, which can be part of an app. The same is true with some newer Android devices, but it goes beyond that. Many new laptop computers include a fingerprint reader, as do some desktop computers.

What really matters is that whatever device type you're using, it needs to depend on something you have and something you know. That something you have might be your fingerprint, or it could be a smartcard or it might be an iris scan.

Then you need to pair this with something that each person knows. That could be a PIN code such as what the federal government uses, or it could be a password or pass phrase.

Perhaps more important, none of these methods of confirming identity is all that difficult or expensive to implement. But they do take commitment. That means that you will have to make your company's security a priority.

I could go on for a long time about why it's necessary to create a culture of security in your company, but I've said all of that before. Now I'll just say that it's important for your employees to think of security in their day-to-day interactions. Perhaps you can offer some kind of security incentive to help that along.

But what's more important is to make sure your employees see that you're also taking it seriously and that your security practices aren't there just to annoy them. That means setting a good example of security in your daily activities. Don't prop open the door to the server room. Don't ignore password rules for your own account. Don't make fun of password verification requirements.

Moving away from something as simple and dangerous as what most companies do for password policies will require commitment, but it's necessary to protect the company and, by extension, your employees.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel