A word about passwords

SHARE

used with permission from FTC Business Center Blog
by Lesley Fair

On the old game show “Password,” the host whispered a word to contestants, who then gave clues to celebrities. The first to guess correctly advanced to the Lighting Round. The loser went home with a year’s supply of car wax.

The legacy of “Password” lives on, but in the 21st century version, hackers use tidbits they know about your employees to guess their passwords. The winner gets the grand prize: access to the information on your system. What can you do to help send hackers home with the car wax? There’s no one-size-fits-all approach to password security, but here are some easy-to-implement suggestions.

There’s one in every crowd. Employees are more attuned to security these days, but a walk around your office is still likely to yield a staffer or two with passwords readily visible on their desks. Fraudsters look for the low-hanging fruit. If you spot a sticky note on a colleague’s computer, speak up about this obvious vulnerability.

The better password isn’t a word at all. Up there with “password” and “qwerty” in the Hack Me Hall of Fame are passwords that are short common terms like team names, dog breeds, dates, and other easy-to-guess options. They’re risky on two fronts. First, an up-to-no-good insider will take one look at the screensaver of your adorable sheepdog Ralphie and immediately try “sheepdog” and “Ralphie.” Second, common words are particularly susceptible to dictionary attacks, the tech equivalent of the million monkeys at a million typewriters that systematically try every conceivable word until they hit pay dirt. When creating passwords, remind your employees to skip those obvious choices. This is one time when good spelling can lead to bad results.

If at first you don’t succeed. One defense to dictionary attacks is to limit unsuccessful access attempts before locking a user out. Among the allegations in some FTC data security cases is that companies gave unlimited bites of the apple to people trying to get into the admin side of their system. It’s reasonable that an accidental CAPS LOCK or a typo or two will result in a “try again” prompt, but at some point, security-conscious companies configure their systems to say “Enough!”

Bypass passwords and encourage passphrases. Longer passwords are better, of course, but they can be harder to remember. So how can businesses balance security and practicality? Consider the passphrase as an alternative. Hackers aren’t likely to guess a nonsense word like “iwtraranaped,” but the guy in the next office who plays in a Kiss cover band on weekends will instantly remember “I want to rock and roll all night and party every day.” Careful companies layer in mandatory numbers, symbols, or cases, making “iW2r+ran+ped!” an even stronger option. If your business requires employees to change passwords periodically, the Ace Frehley wannabe can simply move on to the next line of the song. (We won’t regale you.)

Consider subjective security questions. Remembering multiple passwords can be difficult for employees, so some companies use security questions to start the reset process. But the common questions companies ask – What’s your mother’s maiden name? In what city were you born? – may be easy to ascertain from public records. For other popular questions – What color was your first car? What was your high school mascot? – the universe of options is small, making lucky guesses more likely. The wiser choice is a subjective question with a broad range of possible answers that require more than just a single word.

Looking for tips on creating a more secure workplace? The FTC has a suite of resources aimed at businesses of all sizes. The latest addition, Start with Security, focuses on practical lessons learned from the FTC’s 53 data security settlements, including cases where security glitches were traced to questionable password practices.

UPCOMING VIRTUAL EVENTS

Demystifying Cyber Security for SMBs

sb-cyber-security-master-class

The continually changing threat landscape requires us to update best practices and add new concepts to keep your organization safe.

SESSION 4: Cyber Security Strategy
Watch On-Demand

SESSION 5: Cyber Insurance & MFA
Watch On-Demand

SESSION 6: Threat Detection | JAN. 15

Microsoft Copilot
Master Class Workshop

sb-microsoft-copilot-master-class

eMazzanti will host 60-minute Master Classes, that speak to how AI can help your business streamline and grow.

In each session, you will have Artificial Intelligence and Automation explained, view a live demo of Copilot, and see it live in action in a dynamic format.

RESOURCES

Cyber Security Awareness Hub

sb-Cyber-Security-Awareness-Hub

Cyber Security Awareness Kit, designed to be delivered to your team in bitesize chunks.

We are sharing the resources and highlighting services your organization needs, covering everything from multifactor authentication to software updates, showing your users just how easy it is to improve their security posture.

Resource Library

sb-resource-library

Insights to help you do what you do better, faster and more profitably.

> Tips to Stay Protected Against Phishing Attacks

> Understanding Ransomware 

> The 6 Known Wi-Fi Threat Categories Targeting Your Business and How to Defend Against Them

> Practical Advice for Avoiding Phishing Emails

Recent Articles

NEWSLETTER

Categories