OUR THOUGHTS ON:

Is Your Organization Failing Password Security Management?

Cybersecurity|Risk Advisory/Internal Audit

By Scott Walton

Security management may be implementing high-cost sophisticated measures in your organization, but it’s often the first factor of enterprise authentication that isn’t getting the attention it deserves. According to the LastPass 2018 Global Password Security Report, nearly half the organizations participating in the study failed at password security management.

The larger the organization, of course, the harder it is to hold employees to security standards. Password sharing, weak passwords, and mixing security habits – like using the same passwords for personal and work accounts – are all factors that can contribute to bad password protection.

There are actions you can take. First, assess the current state of your organization’s password management by evaluating the required strength (password length, complexity, reuse policy) and security (duplicate passwords, weak passwords, shared passwords, multifactor authentication) of all passwords used on your network and applications.

Evaluate your organizations password standards against best practice and determine is your organization maintaining those standards. Do not simply rely on default standards that come with your software to be at or above your organizations standards. For example the password “Fall2018” meets the Windows complexity requirements, but is actually a weak password that can easily be guessed. These passwords should not be permitted to be used by anyone. Blacklisting passwords is very effective method of restricting the use of common and weak passwords and in turn strengthening your security.  Various software solutions can be implemented to systematically blacklist any passwords and restrict it from being used.

Next, go back to the basics so you don’t feel you have to rely on expensive sophisticated measures. Strong password security starts with requiring an appropriate length; the standard should be a minimum of 12-16 characters and incorporate multiple levels of complexity (upper and lower case, numeric, special characters). Multifactor authentication is a must. The process is easier than ever to implement and the security it provides is well worth the cost.

Good password security requires strong password settings for all the password attributes available. For example if an online account you have set up stores your password in an encrypted manner you may think your passwords are safe. But when passwords are stolen from a breached organization, the cyber-criminals will take the encrypted passwords and attempt to "crack" the encryption algorithms with powerful computers in an attempt to retrieve your actual clear-text password so they can use it. The longer and more complex your password is, the harder it is to reverse-engineer it from the encrypted, protected state. So the effectiveness of storing passwords in an encrypted state heavily relies on the strength of the password.

Here are a few tips for creating a long and complex password that you can remember and will be more secure. First: forget the password concept of using a single word appended with a couple numbers or symbols and shift to a passphrase! A passphrase is where you combine multiple words (add in some numbers and symbols too) to create a long password. Do not use famous quotes from songs, books, etc. Use words that may only make sense to you and mix in some symbols and numbers. For example, "FordMustang" may not be a dictionary word, but it's a proper noun that's easily guessed. Instead, you might try "My2016Must@ngIsR3D." This passphrase is much more difficult to crack than the password “FordMustang” using today's hacker tools.

At Schneider Downs, we practice strong password security management and require all our employees to follow standards. Please reach out to us if you have any questions about your password security management. We offer assessments of your current practices or can conduct a password security audit to evaluate the effectiveness of your controls.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2019 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

comments