Sometimes it is the simplest or most obvious things that can be easily overlooked or taken for granted in life. The IT space is no different and many of the most basic elements, like password management, can often times be overlooked. While it’s not the sexiest of topics, passwords are something we use everyday and should be at the forefront of any security plan.
Passwords are the first line of defense against malicious activities in the digital space. We hear all the time about the importance of strong passwords, and many websites or software require certain password criteria that force them to be difficult to guess. However, the actual execution of these recommended practices is often lacking. The trouble usually lies with the end user who doesn’t take care of their passwords or doesn’t make them difficult enough. As a managed services provider, it is imperative to ensure that your clients are employing some simple, yet highly effective tactics to keep the bad guys out of their information and IT systems.
Before we look at the techniques to prevent hackers from gaining access to private information, let’s take a quick look at the most common means these folks use to crack the password code and get the proverbial “keys to the kingdom.”
- Guessing – Some people think that no one could ever “guess” their password at random, but hackers are much more sophisticated than that. This technique is not simply sitting in front of a screen and typing many different combinations. First, the hacker finds personal information online and then uses sophisticated programs to help ‘guess’ how that personal identification can be turned into a password.
- Dictionary-based attacks – Programs run names and other information against every word in the dictionary.
- Brute force attacks – Just like it sounds. By simply running all combinations of keystrokes with a user name, passwords are discovered all the time.
- Phishing – Beware of Phishing schemes! These scams try to lure you in with fake offers then track your keystrokes in order to steal private information. If the email or IM request looks odd, ignore it and please don’t click on anything. The trouble is that people are oftentimes tricked into giving away valuable data without even knowing.
- Shoulder surfing – Not all hackers are technical whizzes. Shoulder surfers try to catch you entering a password in a public place like a coffee shop or even at a gas station (debit card PINs are vulnerable).
Password Security Tips
So what is the MSP or client company to do? Educate employees on strong password practices. There is simply no-way to guarantee a bulletproof password. If someone wants something bad enough and is smart enough they can figure out what they need to do to get it. Most are not that patient though so any deterrents are usually enough to make them give up and find an easier target.
Some best practices to be teaching customers and employees include:
- Make sure password length is at least 8 characters
- Don’t use real words
- Use both upper and lower case characters
- Include numbers and special symbols when allowed
- Don’t use personal data
- Make patterns random and not sequential or ‘ordered’
Don’t get lazy when it comes to your passwords. Take the extra time to think of something creative, complex and something only you would remember. Here are some of the web’s most common passwords – and what they say about you as a person.
What else can be done? Here are some “do’s” and “don’ts” for password safety.
- Create different passwords for different accounts and applications. If you create only one password for everything you do online, you are exposing yourself unnecessarily. Sure it’s easier to use one but it provides more chances for someone to figure your password out, and if they do, gives them a great starting point for accessing other personal data of yours.
- Keep corporate and personal passwords separate.
- Change your passwords often (ideally every month)
- Always log off your computer or lock it when you leave it for any period of time
Now some don’ts
- Don’t write passwords down or store then in the office
- Don’t store passwords on any device
- Don’t give passwords in emails or IMs
- Don’t give your manager your password
- Don’t discuss passwords with others
- Don’t use remember password function in applications
- Don’t use the “it’s easy to type’ rule (like asdfjkl;) since that will be easier for a lurker to see what you typed
After reading this, I’m sure you feel like you have some work to do. It’s never too early to start utilizing these recommended practices and you may not even know what data may currently be exposed or at risk. Changing your passwords and using the above techniques can help protect you and your clients from malicious web attacks. Don’t overlook the importance of password management – it could make all the difference when a hacker sets his targets on you or your clients