Avoiding the Risks of Poor Password Practices
The latest in a long line of security breaches hit eBay last week. On May 21st the company announced that, two months ago, hackers broke into its systems and stole the customer names, passwords, email and physical addresses, phone numbers, and birth dates associated with “a large number of accounts.” eBay is recommending that customers change their passwords immediately.
The good news is that eBay’s password data was encrypted using techniques that should be difficult for the hackers to crack. The bad news is that many users have the same password for multiple accounts. If hackers were somehow able to access a user’s eBay password — or any other password for that matter — many of that user’s accounts would be at risk.
Despite ever-more-sophisticated security threats, the humble password remains a first line of defense for your systems and network. It is absolutely essential to establish strict password policies and ensure that everyone in your organization follows password best practices.
Here are eight ways to make your organization’s passwords more effective.
- Use a different username and password for every login. If a hacker learns one combination that is used multiple times, or even a common password, the damage done can quickly turn from minor to devastating.
- Require employees to use separate passwords for business and personal use. Hackers who gain access to personal login information will attempt to use that information to access corporate accounts. This is particularly true when employees use their personal mobile devices to access company resources.
- Make passwords long and complex. This may frustrate users who want simple, easy-to-remember passwords, but a network compromised due to a cracked password will be much worse. Instead of a password, think of it as a passphrase that’s at least eight characters in length. Use a mixture of upper- and lower-case letters, numbers, and special characters.
- Keep passwords secure. Don’t write passwords down or share them. Instead, use a password management tool so that you have just one strong password to remember.
- Change default passwords immediately. When a default password is provided, the user is almost always advised to change it and given instructions about how to do so. Heed that advice. Many times, default usernames and passwords are so easy that hackers can guess them without any effort.
- Limit access to administrator passwords. The best way to ensure that administrator accounts across your organization are properly controlled is to limit the number of people who have access to these accounts. This applies to your social media accounts as well.
- Revoke credentials when an employee leaves. Deactivating a former employee’s account is only one step. You also need to determine whether this employee had access to shared passwords or password-protected systems, revoke those credentials, and change the appropriate passwords.
- Monitor your systems for remote access attempts by former employees. The experts at ICG can help you identify suspicious activity and take appropriate action against unauthorized individuals who are trying to gain access to your network.
A single cracked password can be disastrous. Money, credibility, reputation, sensitive data and competitive advantages can be instantly lost or damaged. Creating strong, unique passwords, regularly changing those passwords, and controlling access will make your organization much more secure. Call ICG if you need help developing, implementing or updating your organization’s password policy.