POOR PASSWORDS JUST WON’T HACK IT
Any idea what’s the average number of website logins that someone in your organisation might have? The answer? 25 apparently. Impressive. What isn’t such good news, though, is that most people use just 6.5 passwords to protect them, each of which is shared across 3.9 different sites, according to the same landmark study, ‘A Large Scale Study of Web Password Habits’ (https://research.microsoft.com/pubs/74164/www2007.pdf). It’s convenient, yes, but far from insecure. And, if your employees are that careless about keeping themselves safe, what impact might it be having on your business when they’re logging in at work?
You should really ensure that they use different passwords for all their logins, at all times. That way, you can avoid the situation where the domino effect kicks in – e.g., of one site being compromised, leading to more being accessed with the same credentials and we know that many people really do reuse passwords across multiple sites.
But is that enough? No, it isn’t. You may feel that simply having different passwords amounts to a stout defence against hack attacks. However, a determined hacker will soon crack through your code, if it isn’t extremely resilient. How do they do it? They use various techniques, including lists of already known passwords, dictionary words, personal information etc.
If you want to guard against being easily cracked, your passwords – and, for company exes, those of your workforce –should, ideally, be a random string of lowercase, uppercase, digits and symbols – to force the hacker into a ‘brute force’ attempt – and also one that is as long as is practicable, in order to increase the number of possible permutations. Of course, nothing is 100% secure, given enough time and money; the aim is to make your passwords so hard to crack that it isn’t worth the hackers’ time and effort. A 25-character password, for example, which uses lowercase, uppercase, digits and symbols contains so many permutations that even a supercomputer using a brute force attack to make millions of guesses a second would still take millions of years to work through every permutation. These types of password are key to good network security.
What you most certainly want to avoid within your organisation is the popular, yet problematic, solution of people writing complex passwords down, storing them in spread sheets, within the notes on a phone, emailing reminders or relying on the browser to remember them. While these are often adopted because of their convenience, they are innately insecure.
So, what can you/your employees do to easily create and remember strong passwords that are different for all sites? Traditional on-premise, two-factor authentication (2FA) solutions have generally been too costly for organisations to deploy universally across their operations. But there is another way – without turning yourself into Memory Man or Woman. And it’s a solution that also obviates the significant investment required to purchase, implement and manage 2FA (two factor authentication) in-house, which has often compelled organisations to pick and choose isolated areas of their businesses to secure.
Symantec’s Validation and ID Protection Service is cloud based, and enables you to defend your sensitive networks, applications and data against unauthorised access with a two-factor authentication solution, and a variety of supported 2FA credentials, ranging from security hardware tokens to software-generated credentials.
So, for stronger passwords and unified sign-on solutions, check out Symantec’s Validation and ID Protection (VIP) Service and for more information on website security download the Symantec website security threat report