Password policies poor despite increased threats
Despite the increased number of security threats and the gravity of security breaches, poor password policy seems to be the gateway to cyber attacks. The survey, by LastPass (now acquired by LogMeIn) revealed that 53% of respondents admitted they had not changed passwords in the past 12 months, despite a breach making the news. Why is it that password is one of the first tactics used by cyber criminals to breach a system? Simply put, password policies are poor!
In this connected world where information is being generated from all different areas, we fail to comply to the basics of handling sensitive information, let alone pay attention to password policies. We don’t pay much attention to how many security threats are out there and take precautions until unless we experience a security breach (which is late in the game to take precautions).
Below are some of the ways attackers can gain access to your computer system:
Man in the Middle Attack:
A man-in-the-middle attack requires three players. There’s the victim, the entity with which the victim is trying to communicate, and the “man in the middle,” who’s intercepting the victim’s communications. Critical to the scenario is that the victim isn’t aware of the man in the middle.
Brute Force Attack:
A hacker uses a computer program or script to try to log in with possible password combinations, usually starting with the easiest-to-guess passwords. (So just think: if a hacker has a company list, he or she can easily guess usernames. If even one of the users has a “Password1”, he will quickly be able to get in.)
Dictionary Attack
A hacker uses a program or script to try to login by cycling through combinations of common words. Hence, if you are using Dictionary words in your passwords, its time to change this practice!
Key Logger Attack
A hacker uses a program to track all of a user’s keystrokes. So at the end of the day, everything the user has typed—including their login IDs and passwords—have been recorded. A key logger attack is different than a brute force or dictionary attack in many ways. Not the least of which, the key logging program used is malware (or a full-blown virus) that must first make it onto the user’s device (often the user is tricked into downloading it by clicking on a link in an email). Key logger attacks are also different because stronger passwords don’t provide much protection against them, which is one reason that multi-factor authentication (MFA) is becoming a must-have for all businesses and organizations.
Below we will discuss some of the policies that you must enable in password policies at your company:
- Enforce Password History: Enforce password history sets how frequently old passwords can be reused. his policy can be used to discourage users from changing back and forth between a set of common passwords.
- Maximum Password Age: Maximum password age determines how long users can keep a password before they have to change it. The aim is to periodically force users to change their passwords.
- Minimum Password Age: Minimum password age determines how long users must keep a password before they can change it. This field can be set to prevent users from cheating the password system by entering a new password and then changing it right back to the old one.
- Minimum Password Length: Minimum password length sets the minimum number of characters for a password. If it hasn’t been changed already, the default setting should be changed immediately. The default is to allow empty passwords (passwords with zero characters), which is definitely not a good idea.
- Passwords Must Meet Complexity Requirements: Beyond the basic password and account policies, Windows 2000 includes facilities for creating additional password controls. The functions implemented by enabling the Passwords must meet complexity requirements setting in Password Policy are enforced when a user or administrator attempts to change the password for a user account.
- Store Password Using Reversible Encryption: Passwords in the password database are encrypted. This encryption cannot normally be reversed. If there is a need to allow the encryption to be reversed, enable Store password using reversible encryption for all users in the domain.
Password policies play a very vital role in a security posture of a company and you should look for a solution that you can manage from a single pane of glass. Ideally, you want a single sign-on solution for your corporate environment which uses multi-factor authentication for all of your applications. With two-factor authentication (also called multi-factor authentication, 2FA, and advanced authentication), a user is required to not only provide a password to gain access to the system, but also a another security “factor,” like a unique one-time access code generated from a token device or secure mobile app on their smartphone. A network protected by MFA is nearly impenetrable to an outside attack; even if a hacker is able to attain a system password, he won’t be able to provide the needed second security factor. Multi-factor authentication takes your password policies to the next level!
Check out our video below to learn more about our single sign-on solution:
Contact us today to see how we can help your organization with a single sign-on solution that uses multi-factor authentication.