By now you already know that passwords are problematic. Getting your employees to create passwords that are even slightly secure is hard.
Getting them to change to new passwords is even harder. Getting them to actually remember passwords instead of writing them on sticky notes and attaching them to their monitor is nearly impossible.
This problem was made clear this past week when over 1 billion credentials were leaked from a variety of sources. Those credentials, which included user names and passwords along with other information, have been put up for sale on the Internet, and by now they’re likely in the hands of cyber-criminals who will eventually use them.
In the near term, you know that you need to alert your users to change their passwords in the event that some of those stolen credentials belong to them. You may also want to check to see if their company email address is among those stolen, which you can do at sites such as Have I Been Pwned to see if their credentials are among those that have been stolen.
Until now, there was another place to check such things called Pwnedlist.com, but according to security researcher Brian Krebs, that site was the source of many of those stolen credentials.
Meanwhile, if you haven’t implemented some necessary security practices in regard to your company passwords, then by now it’s a must. This includes validating passwords so that your employees don’t use common words or character sequences, that they change passwords on a regular basis, and that managers pay attention to their workspaces closely enough that they can see whether the employees are writing passwords down on those sticky notes.
There are a couple of other things that are important when managing passwords. One is that while it’s important that they not be common words, they still need to be something that your employees can remember so they aren’t tempted to write them down. This why you don’t insist on a 64-character hex number as passwords, since relatively few people can remember those.
But perhaps more important, you need to start thinking of ways to stop using passwords, or at least supplement passwords with something else for the credentials necessary to access your network and data systems.
An example of how this works is with some of the networks and data systems in the federal government. In most agencies, employees are provided with a smartcard-based identification card, which is called either a CAC card (for common access card) or a PIV card (for personal identity verification).
Those cards include a chip similar to the one found in new credit cards that can be read by the agency’s security system to verify identity.
Huge Credential Leak Underscores Need to Protect Passwords, Login IDs
The card is used for building access and for access to data systems when inserted into a card reader attached to or installed in a worker’s computer. For computer uses, once the card is inserted into the reader, the user is then required to type in a PIN (personal identification number) code to gain access to the network.
By now you’re thinking that such security systems might be fine for the government, but what about a small business? Fortunately, access control systems are available for businesses of all sizes and types. They may not all be smartcard systems like those in the government, but multifactor authentication doesn’t require government-scale resources to implement.
For example, if you’ve got a reasonably new Apple iOS device, then you’ve got access to fingerprint recognition, which can be part of an app. The same is true with some newer Android devices, but it goes beyond that. Many new laptop computers include a fingerprint reader, as do some desktop computers.
What really matters is that whatever device type you’re using, it needs to depend on something you have and something you know. That something you have might be your fingerprint, or it could be a smartcard or it might be an iris scan.
Then you need to pair this with something that each person knows. That could be a PIN code such as what the federal government uses, or it could be a password or pass phrase.
Perhaps more important, none of these methods of confirming identity is all that difficult or expensive to implement. But they do take commitment. That means that you will have to make your company’s security a priority.
I could go on for a long time about why it’s necessary to create a culture of security in your company, but I’ve said all of that before. Now I’ll just say that it’s important for your employees to think of security in their day-to-day interactions. Perhaps you can offer some kind of security incentive to help that along.
But what’s more important is to make sure your employees see that you’re also taking it seriously and that your security practices aren’t there just to annoy them. That means setting a good example of security in your daily activities. Don’t prop open the door to the server room. Don’t ignore password rules for your own account. Don’t make fun of password verification requirements.
Moving away from something as simple and dangerous as what most companies do for password policies will require commitment, but it’s necessary to protect the company and, by extension, your employees.