Although many businesses require passwords to be a minimum length, a mix of upper and lower case, and to use numbers, the majority are failing to enforce any further password complexity requirements on employees.
With innovative technologies seemingly hitting the news daily, promising to slash overheads and bolster operational efficiencies, it is no wonder that industries are jumping at the chance to digitally transform their businesses.
It does hold true that digital transformation presents companies with an opportunity to save costs, extend collaboration, improve customer service and inform business decision-making. But, every business’ digital journey brings with it a set of new pressures and challenges. Not only must companies become more agile, but the increased use of digital technologies such as the cloud, big data, mobile, internet of things (IoT) and artificial intelligence (AI) are bringing challenges when it comes to security, compliance and data protection.
Although digital and security go hand in hand, and cybersecurity has become a strategic point for digital businesses, I’ve noticed that in many cases, security basics are remaining an afterthought.
The humble password has long been the first line of defence against hackers in modern computing, and although the technology-led world we now live in appears to be outgrowing the password, it still has a vital role to play alongside other layers of technology and mustn’t be overlooked. Failing to have adequate password policies in place will leave the doors open for brute forcing, exposing sensitive corporate data to those with malicious intent.
Recently, OneLogin’s research[i] revealed that 85 per cent of IT decision makers feel they have adequate password protection measures in place. But most are failing to enforce even the most basic password requirements, putting their businesses at significant risk of data breach. On an even more worrying note, less than a third (31 per cent) require employees to rotate passwords monthly, and a further half (52 per cent) admitted to only requesting password rotation once every three months.
Birth of the new password
Weak passwords have plagued businesses for generations. The fact is many are going through the motions and see them as something that must be put in place to show they are simply ‘doing it’, but not seeing ‘passwords’ as the first major hurdle to data protection.
Although many businesses require passwords to be a minimum length, a mix of upper and lower case, and to use numbers, the majority are failing to enforce any further password complexity requirements on employees. Only 37 per cent of those surveyed ask employees to check their passwords against common password lists (an obvious criminal-proofing tactic) and 39 per cent don’t even require employees to use special characters.
The truth of the matter is that the ‘traditional’ password is dead as they can be compromised very easily. This is due, in part, to the substantial number of stolen credentials – over three billion accounts from Yahoo alone – and the fact that people often use the same password across multiple accounts. So, “John Doe’s” Yahoo password might well also be his password, for, say, his Barclay’s bank account. Even worse, many people follow the same predictable patterns when choosing passwords, e.g. “1234567” and so on.
Hackers know this and run scripts that use these lists – both common password lists, and stolen password lists – to automatically try many different username/password combinations on many websites. Try enough doors, and eventually, you’ll find one that can be unlocked.
These password lists circulate through the hacker community over time. So, the way to stay ahead of the hackers is to change passwords regularly, so that even if your password has been previously leaked, you’re on to using a new one.
Cleaning up computer hygiene
To avoid playing into the hands of hackers and to tackle poor password hygiene habits, employees should be encouraged to use passPHRASES, not passwords. A phrase such as “will Manchester United win the premier league in 2018?”, besides being a question on the lips of fans, is not only easy to remember, but it also meets character criteria (numbers, uppercase and special characters), is easy to type and is hard for a computer to guess in a brute force manner.
In conjunction with passPHRASES, the use of multiple-factors of authentication must also be encouraged, including MFA apps. An MFA app generates a one-time password (OTP), also known as a token, that is valid for only 30 seconds. Even if hackers guess a user’s password, they won’t be able to guess a randomly generated one-time password before it expires. However, SMS’ must not be used to send OTPs, as hackers can socially engineer telcos into switching accounts to different phone numbers they can control, enabling them to get the OTP, and log into the account. OTPs sent via SMS can also be viewed on locked screens, meaning they can be visible on a stolen phone.
MFA apps also have end-to-end military grade-encryption that remains secure even over untrusted networks, unlike OTPs sent via SMS. However, MFA apps should only be used on phones that haven’t been jailbroken, since they can contain malware that can intercept OTPs and send them to hackers to log into apps. By using MFA apps on phones that are protected via passcodes, Touch ID or Face ID, OTPs won’t be revealed on locked screens, and even if a phone has been stolen, the phone cannot be intercepted to reveal OTPs.
Finally, applications should be secured via Adaptive Authentication that looks for anomalies in the login process. For instance, users logging in from an IP address known to host malware, from a country that they never usually log in from or even a new device that a user hasn’t previously used. In all these cases, IT should at the very least be notified, and in some cases, access denied.
These preventative steps are necessary for all industries looking to reap the rewards of digital transformation, with CEOs and IT managers safe in the knowledge that sensitive corporate data is secure from hackers’ malicious hands.
[i] OneLogin Mobile Security Research, conducted by Arlington Research, May 2017. The research questioned 605 IT decision makers in the UK