We got three of our team member’s together for a discussion on this week’s technology topic. James Harrell, Kyle Kelley, and Cody Muncy gave us their insight and expertise on why employees and their use of passwords can be one of the weakest links in your system.
James, Kyle, and Cody explained that weak links from a password perspective can come from several different methods. The simplest way in which a password can become a weak link, is by the hacker guessing the password. Sounds far fetched that someone could completely guess a password, right? Wrong. People so often use things such as events from their life, important dates, or even parts of their name, that this allows for their passwords to be easily guessed or discovered.
Alongside easily guessed passwords, is the mistake of using the same password for multiple systems. One of the biggest risks in passwords is using the same password on personal accounts, such as Facebook or Amazon, that you use on your company’s system. Weekly, if not more often, you hear about some website having a data breach. Basically when the breach happens they have access to a scrambled copy of every password in the system. Then there are tools that can be used to unscramble the passwords. So then, they know not only what the person’s password is but what it looks like scrambled in other common systems. With access to a scrambled version of the password, there are a lot of places they can use that password. So if you use the same password on Facebook that you use on your business account, and there is some type of data breach on Facebook, the hacker now can use this to log into one of your business sources.
Another common way for passwords to become a weak link is through a hacker’s method of phishing attempts. This can come in a plethora of different forms. One of them being an email, that sends you to fraudulent sites, where they ask you for your credentials. If those credentials are given, they now have knowledge of your passwords, giving them access to your information.
Two other methods that James talked about in our round-table discussion are called masking and substitution. Masking attacks take info they already know about you, such as dates and names, and plug that information in to figure out passwords. Similarly, substitutions take characters you’ve already used with previous passwords and plug them in. These methods give them access to a portion of the password. If they know half of it, then they can spin through the rest of it much faster and make it much easier.
With all of these different ways that hackers can use your passwords against you, it is important to protect yourself and your company. Ideally, companies should require passwords with a minimum of 8 characters requiring symbols, numbers, and letters. Additionally, passwords should be restricted to having nothing from the employees name or birthdate. It has also been suggested to require it to be changed every 90 days. However, there is often push back that employees can’t remember a new password that often. Because of this, they often only change one character of the password. This makes it less effective and that’s where the weak link often comes in. At a bare minimum, you want to keep your personal passwords different than your passwords for your company systems. But from a safety perspective, it is best to have a different password for every different system you use.
In order to remember a different password for every site, a lot of us at The IT Company use a password manager. This is a plugin installed into the browser. The plugin saves all passwords inside of this and then has one big, strong password that protects the password manager itself. We also use a two factor authentication so not only do you need password but you need the user’s phone to authenticate access as well.
At the end of the day, the best way to protect your company is to educate your employees. Education to explain to the user. Do not just say “hey do this” but rather why it is important. People are more receptive when they understand the reasoning behind something. Another way this can be prioritized is by making training not just specific to business but something that relates to life. People often care more how to protect their bank account or their home loan than they do about how to protect the company. By emphasizing how it affects their personal life, it will transition over to how they handle business life.
Passwords can easily become a weak link in your company’s system. But by taking the necessary precautions and educating people they can also be something that protects your company’s information greatly.