Why Weak Password Policies Are So Vulnerable

password

By Dave Kinsey

The former executive of the Saint Louis Cardinals Major League Baseball team, Chris Correa, was sentenced in July to 46 months in prison and hefty fines for hacking into the Houston Astro’s protected computer. How did a rookie cyber-criminal access the competitor’s scouting records? Weak password practices.

Just like many other data breaches, this unauthorized access to proprietary files and emails was possible due to weak security precautions. Chris Correa was simply able to easily decipher the password for the Astros because it was very similar to the password used by the victim when he previously worked for the Cardinals. Using consumer software he gained access to the password the victim used on his Cardinals laptop when it was handed over to Correa upon the victim’s termination with the Cardinals. From this first breach Correa was able to determine login credentials for two other Astros employees.

Unfortunately, stories of data breaches continue. While not always the case, the breaches are oft en enabled due to poor security policies. There is not one solution that will prevent all hacks, but perhaps one of the simplest and least expensive ways to start is to pick hard-to-hack passwords. Quite frankly, the entire strength of your IT infrastructure’s security relies on a single password.

Even if your password is not guessed by a former employer, passwords can be guessed by brute force (automated guessing). Passwords can be obtained from a compromised site, from phishing emails or websites.

Why is this so important? Hackers try to access your important data, searching for proprietary intellectual data or personal identification numbers including, social security, driver’s license and birthdays. This information is valuable to criminals. Once someone gets that information, getting into your bank account or stealing your identity becomes much easier. Cracking your password gives cyber thieves easy access to the goods.

In order to understand what makes a strong password, it’s important to first understand what makes a poor password. Passwords should not be:

  • Simple patterns on your keyboard including qwertyuiop, which is the top row of letters on a standard keyboard, or 1qaz2wsx.
  • Favorite sports.
  • Birthdays or birth years.
  • Social security numbers.
  • Baby names.
  • Swear words.
  • Car brands.
  • Written on a sticky note.

Good password practices:

  • Create long passwords of a mix of different characters, symbols and numbers. Or use a random phrase like, “Alpine skiing is fantastic.” The longer the password the better.
  • Do not share passwords.
  • Never use your business account password on a public site.
  • Change passwords regularly.
  • And finally, resist the urge to use the same password for all of your accounts.

Security is always at odds with convenience. Passwords that are easy to remember can be easy to crack. If remembering different passwords proves difficult, try a password manager like LastPass, DashLane or Roboform. Be sure to use two-factor authentication to access your vault and properly configure your password manager with logout timeout policies.

Once you have strong password management down pat, you should review other essential security precaution tools, including multi factor authentication, commercial-grade network security appliance and subscriptions, malware protection, email filtering, patch management and educating your staff .

If you need more motivation to keep your passwords large and in charge, regularly review your system reports to see how many attempts were made to hack into your servers – it is sobering. A little password inconvenience on the front end can save you major security breaches on the backend.

Dave Kinsey is the owner and president of Total Networks, the technology partner of many law firms throughout Arizona. For more information, email dkinsey@totalnetworks.com.