Not every exposed password is the fault of the user, but rather a known or unknown result of an application or website compromise. An effective password management strategy should be as important as a coach’s game plan and can dramatically inhibit any potential risk should one or more passwords be compromised. Having a breach of security can wreak havoc on a company and cause devastation that may take years to repair, if ever.
Like most businesses that have a connection to the internet, your company most likely has a variety of services and accounts requiring their own unique password. While generating a quality, strong password for every account is simple enough, keeping track of each one can be a nightmare. It can often be simply impossible to recall each one when needed.
Proper advice on how to build a password of sufficient strength usually creates a difficult-to-remember “alphabet soup”, including:
- Built from some of each: numbers, special characters, signs, symbols, and letters.
- Eight characters long is the bare minimum, and sixteen or more is recommended.
- Regular expiry dates not exceeding several weeks.
- Completely unique, never used before and never repeated.
- Not written down anywhere.
It is not difficult to understand why most business owners, managers, supervisors, and employees simply throw their hands up in despair and give up. When security is too complex and troublesome, then the need for convenience usually trumps the need for security. On the other hand, just because your company uses passwords properly does not mean that your confidential data is safe.
Maintaining Company Secrecy
While the systems administrator is primarily the one responsible for maintaining core passwords and due diligence in protecting the company’s systems and data, most small businesses cannot afford a dedicated administrator. In that case, it is left up to an employee, supervisor, manager, or business owner to maintain every user ID along with its associated password both internally, and externally. With every additional password this delegate is expected to manage, the likelihood of unsafe storage for these key credentials rises sharply.
Developing a Game Plan
By developing an effective plan using proper password management, companies can minimize the risk by maximizing their defense against those who may seek to damage or defraud the company. Any good game plan requires the following:Defense - Rally the team
- Passwords should be built to a difficulty standard that will prevent or at least discourage guessing and dictionary type attacks.
- Storage of passwords should be prohibited in all but properly designed and implemented systems that are approved by management or a trusted advisor.
- The whole team needs to be involved with strong passwords. Even the lowest-level unauthorized access to the company network can mean game-over.
- Consider reinforcing passwords with multi-factor authentication or identity standards such as SAML.
- Create real consequences for staff who repeatedly disregard company policy and store passwords in an unsafe manner.
- Regularly audit access, ensuring that each user has the absolute minimum access beyond their own areas of responsibility.
“The Red Zone”
When things go wrong there needs to be a way of instantly and completely revoking a user’s access and permissions. This play includes rotating every shared password a user knows. The end result is a user with no access to any system, which could also be highly useful as standard procedure if a user is currently departing their employment.
A poor track record with company passwords doesn’t have to mean returning to square-one. However, it is essential that you understand all the weaknesses and strengths of your current password practices. The road to better password unity starts with creating a convenient and safe place for users to build and store passwords. Learn more about what goes into creating a safe, yet convenient system in this free eBook: The Password Management Playbook. You’ll learn more about ways to improve how you handle passwords today, and be introduced to AuthAnvil, the User Authentication suite designed specifically to counter the deficiencies of passwords.