With all of the advancements made in recent years towards network and physical security, weak user passwords still represent a major open door into your systems. Information security experts continue to note that while you can install advanced security solutions packed with AI and machine learning, there is still no easy fix for employees who just don’t give a hoot about password security best practices.
A large majority of network intrusions and data theft begin with a leaked or uncovered employee password. Passwords can be revealed through a variety of ways, including:
- Phishing email scams, where employees are tricked into entering private credentials
- Weak passwords (i.e. password123)
- Social engineering attacks, which aim to uncover information about your employees online
- Poor security habits, such as writing passwords down on sticky notes
With password security being so important when it comes to protecting your business, IT leaders can often get overwhelmed by data leaks that are caused by poor security awareness. To make matters worse, social engineering attempts are getting smarter, making employee awareness even more critical for your overarching security program.
Another trend that has further complexed the password conundrum is a rise in Cloud based and Software-as-a-Service (SaaS) applications, which all require different passwords. On average, one individual has 25 accounts that require passwords in their life and enters a password in a system 8 times per day. This increased use of passwords has forced people into poor password habits, such as reusing passwords, using simple passwords, or writing them down.
“On average, password reset requests make up 10%–30% of all IT help desk calls.”
What Makes a Password Weak
While your company may set strong password policies that require a mix of letter, numbers, and symbols, employees still need to play a roll with password security. Sadly, many employees simply do not. Below is a list of common phases, words, and concepts that employees use when creating passwords that they should avoid:
- The word “password”
- Numbers “123” in sequence
- The current month
- Kid’s name or Pet’s name
- Street name
- Spouse name
Furthermore, a lot of people use the same password for multiple sites, meaning that if your password is uncovered on one site, it is compromised for all of them.
How Can You Get Better?
Despite the struggles around password security, there is hope on the horizon. Below are three ways your organization can help employees keep passwords safe and your data secure.
- Single Sign On
Single Sign On solutions, such as Okta, allow employees to use their regular computer password for multiple software as a service applications. Single Sign On methods not only make employees lives much easier, but they also can significantly improve your security practices by enforcing the same strong password policies that exist on your internal systems across other online applications.
- Multi-Factor Authentication
While mildly annoying, Multi-factor Authentication (MFA) is a great security booster for your business. MFA requires a password and an additional credential (i.e. a code sent via text message, a key fob, thumb print, etc.) to access the application. By forcing a second access method, weak passwords are no longer a primary concern. While many executives find MFA annoying, it is definitely a strong solution against the problem of weak passwords.
“69% [of consumers surveyed by RSA and the Ponemon Institute] admit to using the same password for more than one device or site …”
- Password Enumeration Tests
Want to find out exactly how bad your password problems are? Password enumeration tests are controlled tests where a trained security expert tries to brute force attack all of the passwords in your company. The results of the test will show you exactly where your problems are, such as common words and phrases used in passwords, how long it took to hack each password, and other common password problems your business may be facing.
- Password Manager
Implementing a secure password management solution or repository is another great way to help your employees avoid poor password security practices. Passwords managers and other secure password repositories provide a secure, compliant, location for employees to store passwords, instead of writing them down, storing them in emails, or saving them on notepad files on their PCs. Password repositories are also great for any shared passwords that may be used by an entire team, as it again removes the need to share the password via unsecure channels.
Whatever you decide to use, remember that there is light at the end of the tunnel. Helping employees keep themselves, and your business secure, while still keeping them happy and productive can be challenging, but with the above methods, it can be done.
Passwords are only one piece of the puzzle when it comes to information security. Check out this handy Security Infographic to learn even more ways to keep your data safe.