Font Size: A A A


Tackling poor password hygiene habits

No matter which sector an organisation operates in, the only certainty in the business world, where survival – and ultimately success – is determined by immediacy, and often globalisation, is that all businesses must digitally transform their operations, writes Al Sargent, Senior Director of Product at OneLogin, an Identity and Access Management (IAM) product firm.

Digital transformation promises significant cost savings, better cross-departmental and cross-border collaboration, improved customer service, and data-driven insights to inform better business decision making. But, every business’ digital journey brings with it a set of new pressures and challenges. Not only must companies become more agile, but the increased use of digital technologies such as the cloud, big data, mobile, internet of things (IoT) and artificial intelligence (AI) are bringing challenges when it comes to security, compliance and data protection.

Although digital and security go hand in hand, and cybersecurity has become a strategic point for digital businesses, I’ve noticed that in many cases, security basics are remaining an afterthought. The humble password has long been the first line of defence against hackers in modern computing, and although the technology-led world we now live in appears to be outgrowing the password, it still has a vital role to play alongside other layers of technology and mustn’t be overlooked. Failing to have adequate password policies in place will leave the doors open for brute forcing, exposing sensitive corporate data to those with malicious intent.

Recently, OneLogin’s research (by Arlington Research, May 2017, questioning 605 IT decision makers) revealed that 85 per cent of IT decision makers feel they have adequate password protection measures in place. But most are failing to enforce even the most basic password requirements, putting their businesses at significant risk of data breach. On an even more worrying note, less than a third (31 per cent) require employees to rotate passwords monthly, and a further half (52 per cent) admitted to only requesting password rotation once every three months.

Death of the password

Weak passwords have plagued businesses for generations. The fact is many are going through the motions and see them as something that must be put in place to show they are simply ‘doing it’, but not seeing ‘passwords’ as the first major hurdle to data protection.
Although many businesses require passwords to be a minimum length, a mix of upper and lower case, and to use numbers, the majority are failing to enforce any further password complexity requirements on employees. Only 37 per cent of those surveyed ask employees to check their passwords against common password lists (an obvious criminal-proofing tactic) and 39 per cent don’t even require employees to use special characters.

The truth of the matter is that the ‘traditional’ password is dead as they can be compromised very easily. This is due, in part, to the substantial number of stolen credentials – over three billion accounts from Yahoo alone – and the fact that people often use the same password across multiple accounts. So, “John Doe’s” Yahoo password might well also be his password, for, say, his Barclay’s bank account. Even worse, many people follow the same predictable patterns when choosing passwords, eg. “1234567” and so on. Hackers know this and run scripts that use these lists – both common password lists, and stolen password lists – to automatically try many different user-name/password combinations on many websites. Try enough doors, and eventually, you’ll find one that can be unlocked. These password lists circulate through the hacker community over time. So, the way to stay ahead of the hackers is to change passwords regularly, so that even if your password has been previously leaked, you’re on to using a new one.

To avoid playing into the hands of hackers and to tackle poor password hygiene habits, employees should be encouraged to use passPHRASES, not passwords. A phrase such as “will Manchester United win the premier league in 2018?”, besides being a question on the lips of fans, is not only easy to remember, but it also meets character criteria (numbers, uppercase and special characters), is easy to type and is hard for a computer to guess in a brute force manner.

With passPHRASES, the use of multiple-factors of authentication must also be encouraged, including MFA apps. An MFA app generates a one-time password (OTP), also known as a token, that is valid for only 30 seconds. Even if hackers guess a user’s password, they won’t be able to guess a randomly generated one-time password before it expires. However, SMS’ must not be used to send OTPs, as hackers can socially engineer telcos into switching accounts to different phone numbers they can control, enabling them to get the OTP, and log into the account. OTPs sent via SMS can also be viewed on locked screens, meaning they can be visible on a stolen phone.
MFA apps also have end-to-end military grade-encryption that remains secure even over untrusted networks, unlike OTPs sent via SMS. However, MFA apps should only be used on phones that haven’t been jailbroken, since they can contain malware that can intercept OTPs and send them to hackers to log into apps. By using MFA apps on phones that are protected via passcodes, Touch ID or Face ID, OTPs won’t be revealed on locked screens, and even if a phone has been stolen, the phone cannot be intercepted to reveal OTPs.

Finally, applications should be secured via Adaptive Authentication that looks for anomalies in the login process. For instance, users logging in from an IP address known to host malware, from a country that they never usually log in from or even a new device that a user hasn’t previously used. In all these cases, IT should at the very least be notified, and in some cases, access denied.
If all these steps are followed not only will hackers’ lives become harder, but IT teams and CEOs can be safe in the knowledge that sensitive corporate data is secure from hackers’ malicious hands.


Related News