Your weakest data security link might be passwords
Tue, 09 Feb 2016 12:00
However strong your security systems are, they can be quickly undermined if your users choose weak passwords. In fact, for many organisations, weak passwords represent the weakest link, and the greatest vulnerability. Instead of fighting through robust firewalls or locked-down servers, hackers can target your users and gain access by unpicking weak passwords.
When users choose simple or short passwords they are effectively clasping a weak lock on your IT – a lock that any hacker can easily crack. And once they have a route in, hackers typically take very little time in exploiting their access and stealing your data.
In 2014, Sony Pictures were the victim of a hacker who attempted to blackmail the organisation. The hacker released a hoard of Sony data, including passwords used by employees to access the internal system. BuzzFeed reported that the data dump included "139 Word documents, Excel spreadsheets, zip files and PDFs containing thousands of passwords to Sony Pictures internal computers, social media accounts, and web services accounts." It gets worse. "Most of the files are plainly labelled with titles like 'password list.xls' or 'YouTube login passwords.xls'."
Sony employees were storing their passwords in plain text, in easily identifiable documents, making life easy for the hackers. But the passwords themselves were often weak and relatively easy to crack, such as 's0ny123' and 'password'.
While passwords like these may smack of incompetence, the truth is that few organisations (if any) can be sure that every employee is choosing secure passwords and keeping them from prying eyes. After all, how can an organisation hope to monitor the actions of employees on a range of devices, who may be using an enormous array of sites and applications, from a variety of locations?
Creating strong passwords
We all know what makes good passwords. But the long sequences of numbers, letters and symbols that make strong passwords are also hard to remember. So most users want to strike a balance between memorability and security – while many individuals will plump for something quick to type and impossible to forget. It's not surprising that many people pick 'password' or the name of a loved one.
Employee education is usually the first step in improving password security. By reminding people of the importance of passwords and giving them the skills to create and remember strong passwords, organisations can make it harder for hackers to gain access.
In addition to education, organisations may benefit from applications that help users to manage passwords. Software can simultaneously enforce password standards while reducing the number of passwords individuals have to remember. Two-factor authentication is another technique for hardening security without increasing the demands on employees.
How does your organisation manage passwords? Do you have rules for creating strong passwords? And do you monitor how passwords are used and stored?
At DeltaNet we offer a range of compliance eLearning, designed to give your teams the knowledge and skills they need, whenever they need it. In addition to our off-the-shelf courses, we can customise eLearning programmes to suit the needs of your business. Our IT security courses include: