used with permission from FTC Business Center Blog
by Lesley Fair
On the old game show “Password,” the host whispered a word to contestants, who then gave clues to celebrities. The first to guess correctly advanced to the Lighting Round. The loser went home with a year’s supply of car wax.
The legacy of “Password” lives on, but in the 21st century version, hackers use tidbits they know about your employees to guess their passwords. The winner gets the grand prize: access to the information on your system. What can you do to help send hackers home with the car wax? There’s no one-size-fits-all approach to password security, but here are some easy-to-implement suggestions.
There’s one in every crowd. Employees are more attuned to security these days, but a walk around your office is still likely to yield a staffer or two with passwords readily visible on their desks. Fraudsters look for the low-hanging fruit. If you spot a sticky note on a colleague’s computer, speak up about this obvious vulnerability.
The better password isn’t a word at all. Up there with “password” and “qwerty” in the Hack Me Hall of Fame are passwords that are short common terms like team names, dog breeds, dates, and other easy-to-guess options. They’re risky on two fronts. First, an up-to-no-good insider will take one look at the screensaver of your adorable sheepdog Ralphie and immediately try “sheepdog” and “Ralphie.” Second, common words are particularly susceptible to dictionary attacks, the tech equivalent of the million monkeys at a million typewriters that systematically try every conceivable word until they hit pay dirt. When creating passwords, remind your employees to skip those obvious choices. This is one time when good spelling can lead to bad results.
If at first you don’t succeed. One defense to dictionary attacks is to limit unsuccessful access attempts before locking a user out. Among the allegations in some FTC data security cases is that companies gave unlimited bites of the apple to people trying to get into the admin side of their system. It’s reasonable that an accidental CAPS LOCK or a typo or two will result in a “try again” prompt, but at some point, security-conscious companies configure their systems to say “Enough!”
Bypass passwords and encourage passphrases. Longer passwords are better, of course, but they can be harder to remember. So how can businesses balance security and practicality? Consider the passphrase as an alternative. Hackers aren’t likely to guess a nonsense word like “iwtraranaped,” but the guy in the next office who plays in a Kiss cover band on weekends will instantly remember “I want to rock and roll all night and party every day.” Careful companies layer in mandatory numbers, symbols, or cases, making “iW2r+ran+ped!” an even stronger option. If your business requires employees to change passwords periodically, the Ace Frehley wannabe can simply move on to the next line of the song. (We won’t regale you.)
Consider subjective security questions. Remembering multiple passwords can be difficult for employees, so some companies use security questions to start the reset process. But the common questions companies ask – What’s your mother’s maiden name? In what city were you born? – may be easy to ascertain from public records. For other popular questions – What color was your first car? What was your high school mascot? – the universe of options is small, making lucky guesses more likely. The wiser choice is a subjective question with a broad range of possible answers that require more than just a single word.
Looking for tips on creating a more secure workplace? The FTC has a suite of resources aimed at businesses of all sizes. The latest addition, Start with Security, focuses on practical lessons learned from the FTC’s 53 data security settlements, including cases where security glitches were traced to questionable password practices.
