Bad Password Practices
Introduction
Many businesses implement terrible password practices, either by deliberately accepting greater risk for the sake of convenience, or because those in charge of setting security policies are not properly trained or have neglected to do their job.
Problems
Here are some common poor practices:
- All or most users have simple, formulaic passwords. For example, Abel, Baker, and Charlie all log in to the business network and their mailbox with passwords like Abel123, Baker123, and Charlie123—including the boss and HR manager, who have access to the company payroll system. With such a setup, the restrictive permissions configured on sensitive data are pointless, because any employee can guess a manager's password and get to the data. But, the company enjoys never having to bother with users forgetting passwords, and users like being able to get into each other's files when they need to. This philosophy often extends to the phone system, where everyone's voicemail passcode is something like 1111 or 1234.
- Inadequately protecting passwords. This is manifested in many forms, the most glaring of which is the password written on a sticky note and attached to the side of a user's screen. When challenged on this, the user will often say, "Well, I don't need to hide this account from anyone here", especially since it's a business resource and everyone else in the office has access through their own account anyway. But, there are several problems with this. A user leaves the company, and his login account is disabled, but he still knows another user's password and can get in, thanks to seeing that user's sticky note every day. So he copies your company's entire client list and takes it to your rival. Or, a deliveryman who happens to be an aspiring David Lightman sees the password, then goes home and logs in to your system (and not just to change his grades).
- Sharing passwords. Even if users all have unique and private passwords, we still often see this: A user wants to share resources on the network (such as his Exchange calendar, or data on a file server) with someone else, so he just gives his password to the other user. This seems innocent enough, but it gives rise to several problems. First, it creates a dangerous culture where users undervalue the importance of clearing access with appropriate authorities in your company, increasing the risk that a user will give a password to the wrong person. Or, even if the person is authorized to see the data he's intended to see, sharing passwords instead of having your IT department enable the access can lead to inappropriate access. For example, your accounts payable manager shares his e-mail password with your HR manager so she can copy a bunch of contacts from his mailbox, without considering that the HR manager can use that now to get into the company's bank account. When password sharing is not strictly forbidden, your company management will have no control over who has access to what.
- Failing to discourage password re-use or require two-factor authentication. To help manage the multitude of passwords most people must track for their various login accounts, users often resort to using the same password for different systems. This doesn't present as immediate a threat as the other three problems listed above. However, if a given service has a data breach and customer passwords are exposed, and this includes any of your employees' accounts, then a criminal who gets that information will attempt to use those passwords to log in to other well-known services, including, of course, directly into your employees' e-mail accounts. This has happened, and it's been in the news. For example, when passwords to LinkedIn accounts were leaked, one of the LinkedIn users exposed was an administrator at Dropbox who used the same password for his computer at work as he did for his LinkedIn account. So criminals were able to log in easily to the Dropbox system with his account, where they must have been very pleased to find a file containing a list of sixty million Dropbox user passwords in a file that he had in his folder. If this Dropbox employee hadn't re-used his password, or if Dropbox had required its users (or even just administrators) to use two-factor authentication, these Dropbox user passwords would not have been leaked.
As you can see, without diligent implementation of good policies and practices, a business may have passwords on all their accounts, but little control over access to systems and data.
Solutions
- Education/awareness. If the above describes your company, change the culture. Train each user to consider the secrecy of any password he or she uses for any resource at the office to be his or her individual responsibility, and never to be exposed in any way, or shared with other users regardless of trust. Be frank; tell them your approach to account security has been inadequate, and you're now fixing it.
- Administrative enforcement. This is a broad topic beyond the scope of this article. But, a few words. Make sure your users sign an Acceptable Use Policy, which establishes formal discipline for users who fail to secure their network resources, or who share a password in violation of your policy. You can find one here that's suitable for most businesses to use without modification.
- Technical assistance. If your IT system manager is not fully on board with your implementation of better account security, then the confidentiality and integrity of your data will remain at risk. Consider the following:
- Password Management. Have your IT system manager assist with resetting passwords, and enabling enforcement of complexity and/or expiration of passwords.
- Permissions. Make sure your IT system manager understands exactly who should have access to what, and that he implements proper permission settings from top to bottom to prevent anyone from accessing anything they are not explicitly authorized to see.
- File Sharing. Have your IT system manager devise solutions for data sharing that will obviate the need for your users to share passwords. For example, your IT system manager should set up a system where users can request to enable access to a particular file folder, and the IT department can promptly validate the request through proper authority, then configure the permissions. Or, decide whether to allow users to invite others to view files without the IT department's involvement (which may be already enabled if you use file storage systems like Google Drive or Microsoft OneDrive for Business). If you choose to allow it, only enable it for users you trust to make the correct judgment in relation to sharing sensitive files, and who have the technical capability not to accidentally expose files to unintended parties when trying to share them. If you choose not to allow this for any users, ensure your IT department knows how to disable that function. Only with diligence and persistence can you maintain control over the permissions assigned to files stored in your company file storage system. Of course, in any case, if a user has access to a given file, that user can always copy and post it to another file sharing site. Managing this also involves a combination of administrative and technical controls, which are beyond the scope of this article.
- Password management services. Many password management systems exist that allow complex and unique passwords to be generated and stored securely for every account your employees use. These may be hosted online through a subscription service, or managed on your own systems with installed software and a local database of passwords. Either way, such systems must be implemented carefully, or the benefits they offer may not be realized.
- Information Security Program. Bad password practices indicate that broader management of information security has been inadequate. With a very small business, managers can make great improvements with the tips in this article and others in the J.D. Fox Micro Resource Center. But, if your company is any larger than a handful of employees, or your business information assets are of unusually high value, then you should have an Information Security Program in place. For assistance with this, please check out J.D. Fox Exec (link opens in a new window or tab).