Are you worried about cyber-security? It’s time to kill the password.
BY IT GLUE | June 29, 2016
Passwords. Everyone hates passwords. I can’t remember them all, so I’ll just use one. Make me use a complex password? I’ll just write it on a sticky note. Make me change it regularly? Another sticky-note. I just want to use one password… everywhere. Cyber-security, what is it anyway?
Passwords are a weak link in any cyber-security program.
Users will always find ways around good password controls. But when someone can guess a password and get into your network, all the security in world is useless.
On your corporate network, strong passwords should be enforced at the server level. For Windows networks, this is done in group policy, where you can enforce the length, complexity, password expiry and how often passwords can repeat.
Why is this important?
If you use the same password on your network as your Twitter, Facebook or Linkedin, what happens when one of those get breached? A large number of popular social media websites have reported having usernames and passwords breached.
Those accounts are for sale to hackers. You can guarantee they will be tested against other services to see what else they can get access too. Your password is slightly different? They will test common deviations as well (password and password1).
Do you share the same password, or a slightly different version, between your corporate network, online banking, and social media? I hope not.
Complex passwords, that you have to change regularly, reduce the risk of a breach due to password reuse or simple dictionary attacks.
Cloud solutions offer fabulous services that help enable our businesses. From data storage to CRM to ERP, they have become the platform that many businesses find success with. They’re designed to be accessible from anywhere – over the Internet from your office, even wirelessly using a mobile device from the beach. The data they collect and accessibility make them the perfect target for cyber-attacks.
If we’re going to trust someone else with our data and business processes, it has to be secure. Cloud servers can be a bigger cyber-security risk than your internal systems. With the myriad of ways passwords fail us, a simple username and password isn’t good enough. Death to the password!
Leading cloud-based services now offer multi-factor authentication or single sign-on capabilities. These are much more secure options for accessing cloud-based services.
Multi-factor authentication (MFA) leverages two or more elements to validate you:
- Something you know (like a username and password).
- Something you have (like a token, access card, or a PIN provided by text).
- Something you are (like a fingerprint or facial recognition).
With multi-factor authentication, hackers can’t gain access with just a username and password.
Single sign-on leverages a trusted sign-on provider, such as Google, Facebook, or Active Directory (Windows) to log you into a system. That means that the website you’re logging into doesn’t even have a username and password for you – it leverages a system you already trust.
That’s one less password. It’s one less account that could be breached.
If your cloud service provider has any of your confidential data and can’t do multi-factor authentication or single sign-on, consider it a risk. If it’s a risk you can accept, then implement a password manager to provide extremely complex, single-use passwords.
What do I do?
Develop clear password policies, such as:
- Corporate systems require complex passwords that change regularly (3-6 months) and can’t be reused (in 10 uses).
- Internet facing corporate systems require dual-factor authentication (products like Duo.com or AuthAnvil are easy to implement and inexpensive).
- Cloud-based services with corporate data require single sign-on with a trusted provider, or multi-factor authentication (preferably both, like Google and Microsoft do).
- Don’t share passwords. Don’t write them on sticky notes. Ever. Please.
About the Author
Mike is a Technology Strategist, Project Superhero and Cyber-Security Simplifier. He is a partner at Incrementa Consulting a boutique consulting firm dedicated to helping businesses be more successful. You can connect with Mike on Twitter, LinkedIn or the Incrementa website. |