When was the last time you updated your password for your online access to your bank account, Facebook, or Instagram? Was it within the last few months? Do you know? Do you use the same password for all three?
Login IDs, passwords, and the security controls surrounding them are very important in preventing unauthorized access to systems and information. They are often the first layer of protection, but unfortunately, the biggest problem with most passwords is that they can be guessed or broken fairly easily through brute-force attacks. In fact, the 2017 Verizon Breach Report noted that two out of three privacy breaches exploit weak or stolen passwords.
How can you ensure your employees are utilizing strong passwords?
It is human nature for people to select passwords that they can easily remember. With so many different systems, applications, and websites each of us use every day, it can be difficult to select anything other than something you will always remember. Some employees will even write down their passwords on a yellow sticky note and tape it to their desks (don’t do this!).
Provide your employees with clear instructions for creating passwords and be sure to cover the following areas:
Password Creation: The most-used password is said to be “1 2 3 4 5 6” followed by the word “password”. Other weak passwords include the names of family members or pets, anniversary or birth dates, names of systems or software, or words describing visible items in your work area. For example, do you have a coffee mug of your favorite sports team on your desk? Avoid using personal information. This type of information can be researched on your social media accounts. Make your password unique.
Password Length: The PCI DSS requires passwords of at least seven characters, but we would recommend 10-12 characters for most applications.
Password Structure: Strong passwords should also include the use of special characters, a mix of uppercase and lowercase letters, and a mix of both numbers and letters. If your system supports it, consider using a phrase, called a Pass Phrase, instead of a password. An example would be I love my shoes combined with a date, where the letters in love are all capitalized, and the S’s in shoes are dollar signs. iLOVEmy$hoe$2017
Change Passwords Regularly: The PCI DSS requires a 90 day or less change cycle. By updating passwords frequently, hackers have less time to try to break the password and you also narrow the window of time in which someone might have access to your account.
Never Share Passwords: Do not share passwords or logins with a colleague, even if you both have the same job responsibilities. Your ID and password must be unique to you.
Don’t use the Same Password for Multiple Systems: Try not to use the same password for multiple systems, applications, or web sites as the loss of it in one place can allow access to the other systems more easily.
Strengthen your challenge questions: Make sure your challenge questions that are used to reset your password are unique and difficult to guess. Just because the question asks what your mother’s maiden name is or the city grew up in, does not mean you have to have your answer be truthful. Come up with a consistent, but inaccurate, response that only you can easily remember.
Change Default Passwords: It is critical to always remember to change default system passwords before deploying a system into production. Default passwords for common systems and devices can be found on the Internet, making it very easy for hackers to gain access.
Limit login attempts: Limit the number of times individuals can try and fail to access a system. After the number of unsuccessful login attempts is reached, lock the account and require administrative assistance to unlock. (Reminder: the PCI DSS requires this limit be no more than six failed attempts.)
Now that you know how to create strong and secure passwords, you may want to ask: Are account passwords alone the answer?
Just this month, Deloitte, one of the world’s largest auditing and consulting firms in the US, was targeted by a sophisticated cybersecurity attack that compromised the confidential emails of some of its most important clients. A hacker compromised the organization’s global email server through an administrative account that required only a single password and did not have two-step or multi-factor authentication setup. With this simple attack, the hackers gained access to usernames, passwords, IP addresses, architectural diagrams, and health information.
We recommend protecting any systems with critical information with more than just a login ID and password.
Some additional guidance from our Security Advisor team below:
[King]: Strong, unique passwords and two-factor authentication are your best defense against a compromised account.
Using a passphrase is the best recommended way of creating a password that is both complex enough not to be easily cracked and easy enough to be remembered without writing it down. Passwords should also not be reused. Often we see a password update only change one or two characters, PassKid$2017 becomes PassKid$2018. This is a change that is easily guessable. Make sure to use passwords that are significantly different than previous passwords.
Two-factor authentication can protect you even if your password has been compromised. Always enable two-factor authentication on accounts that have it available. It will require use of not only a password, but a secondary method of authenticating, greatly reducing the risk of compromise.