Startups

Protecting passwords: Relatively simple solutions for a big cybersecurity risk

Summit Business Technologies CEO Mike Cohn offers tips for businesses in a much-maligned area that's at the heart of many data breaches.

Businesses need a plan to protect passwords. Photo by Flicker user World's Direction

Bad habits die hard, which is why passwords are a migraine for information security professionals and neglected by users. Employees still fall back on predictable, easy to guess passwords that attackers can crack in minutes, if not seconds.

SplashData’s 100 Worst Passwords of 2018 shows that people still rely on the same passwords that have been on the Worst Password lists for years, like “123456,” “11111,” and “password,” but have expanded to include “movie names, sports, car brands, and new last year, “Donald.”

Even more complex eight-character passwords using letters and numbers now take just minutes to crack by attackers using powerful computers and brute force attacks that can run thousands of possibilities per second. That may be why one user on Slashdot, a social news site that bills itself as “News for Nerds,” has already proclaimed, “the eight-character password is dead.”

Password risk mitigation strategies

With more than half of all data breaches resulting from weak or stolen passwords, organizations need to exert more control over passwords, to reduce the risk of an attack and resulting liabilities. We recommend businesses consider the following options:

  • Applications that prevent a user from choosing a password that does not meet certain criteria, such as a previously used password. One such example is a check of new passwords against a blacklist of passwords known to have been used in prior compromises.
  • Password policies. No one likes them. But for now, everyone needs them to ensure that employees know and execute strong passwords and understand potential sanctions if policies are violated. In the future, passwords may be replaced by security tokens, a physical device to gain access to resources. But for now, they are a security standard.
  • Password managers that require just one login credential, or master key, to open a digital vault that stores all other passwords. Password managers also can generate strong, unique passwords each time an employee signs up on a website. This function reduces the risk that employees will use the same login credentials for your network and for multiple other sites.

Many employees’ jobs require managing company login credentials to access vendors, customer portals, banks and industry resources. What happens when one of these employees leaves? If they are not using a company password manager, do you know all their passwords?  How do you know they can’t use those credentials after they leave?

How to choose between password managers

CNET’s 2019 directory of password managers provides a number of options that cost between $12-$40 and are good choices for individuals. For businesses, however, password risk mitigation is a bit more complex.

Business grade password managers offer administrative controls, authentication options and encryption that make it very difficult to crack the master password or stored data. Some have identity management features that protect corporate apps from mobile devices used by employees, customers and vendors. Others allow you to manage different accounts at different locations. A good IT security consultant can provide a full picture of how a company-wide password manager should be designed and implemented.

What do passwords have to do with car repairs?

The much-maligned password is like that knocking sound in your car. You don’t have time to deal with it, the sound won’t go away and eventually the car stops running. A password strategy is as risky to ignore as your business strategy. After all, you won’t need a business strategy if an attacker cracks a password and takes control of your IT systems. Then you will need a disaster recovery plan.

This is a guest post by Mike Cohn, CEO of Millersville-based Summit Business Technologies.
This is a guest post by Mike Cohn, CEO of Summit Business Technologies.

Before you go...

Please consider supporting Technical.ly to keep our independent journalism strong. Unlike most business-focused media outlets, we don’t have a paywall. Instead, we count on your personal and organizational support.

3 ways to support our work:
  • Contribute to the Journalism Fund. Charitable giving ensures our information remains free and accessible for residents to discover workforce programs and entrepreneurship pathways. This includes philanthropic grants and individual tax-deductible donations from readers like you.
  • Use our Preferred Partners. Our directory of vetted providers offers high-quality recommendations for services our readers need, and each referral supports our journalism.
  • Use our services. If you need entrepreneurs and tech leaders to buy your services, are seeking technologists to hire or want more professionals to know about your ecosystem, Technical.ly has the biggest and most engaged audience in the mid-Atlantic. We help companies tell their stories and answer big questions to meet and serve our community.
The journalism fund Preferred partners Our services
Engagement

Join our growing Slack community

Join 5,000 tech professionals and entrepreneurs in our community Slack today!

Trending

The person charged in the UnitedHealthcare CEO shooting had a ton of tech connections

From rejection to innovation: How I built a tool to beat AI hiring algorithms at their own game

Where are the country’s most vibrant tech and startup communities?

The looming TikTok ban doesn’t strike financial fear into the hearts of creators — it’s community they’re worried about

Technically Media