Today's trends for tomorrow's business
Do We Need to Pass on Passwords?
September 20, 2018
You be the judge
Nearly 15 years ago, Microsoft Co-Founder Bill Gates predicted the demise of passwords. They were too unreliable, he said, noting there were other more secure ways of granting access to computers.
Gates clearly wasn’t correct about the death of the one-time login, but he certainly had it right when it came to calling-out the need for companies to move onto something else.
By now, passwords should have become passé because they are easily one of the worst security tools ever invented. The main problem is that most of us tend to choose passwords we can remember, such as 123456 - the most common password in the world. Others plug in the names of their kids, spouses or friends and add a few numbers, thinking themselves oh-so-clever and secure.
Unfortunately, neither of these approaches works. Hackers today have quick and simple access to tools, many of them widely available on the Dark Net, that can crack these simple log-ins in less than an hour.
You’ve probably heard all most of this. Yet, if you’re like 51 percent of small business leaders, you probably haven’t paid much attention because you don’t see why anyone would target you. But the truth is that you’re targeted about as often as large businesses, according to one study. In fact, more than half of malware attack victims are small businesses.
Not only that, you and your employees are probably making matters worse by not exercising common sense when it comes to where you use various passwords. For instance, it’s simple common sense that you wouldn’t use the same passwords everywhere.
After all, if a hacker manages to steal your Facebook password, and it’s the same as your BofA log-in, they get instant access to your money. Yet, 59 percent of respondents in a LastPass survey admit to doing this anyway because it’s too hard to remember multiple logins.
For all their weaknesses, passwords are an unfortunate fact of life. They’re not going away anytime soon. In fact, the number of passwords is expected to triple to around 300 billion worldwide by 2020. That’s why it’s so important for business owners to adopt alternative security tools and policies that will help shore up their security postures and avoid attacks that will shut down their businesses.
Here are 5 things everyone can do to make sure passwords don’t become the death of them:
1. Mandate quarterly password changes
Most security experts will say it’s necessary to update passwords at least every three months because, whether you realize it or not, your passwords are compromised all the time.
You may not know it, but odds are that, within a year’s time, your employees’ passwords will land on some Dark Net site where they can be purchased and exploited by cybercriminals looking to steal your records or cash. The longer compromised passwords remain active, the higher the risk that bad guys will penetrate your network.
2. Require strong passwords
If you are allowing your employees to select any password they like, you are putting your business in jeopardy. It’s that simple.
When employees are prompted by your IT department (or you) to change their passwords every quarter, they should also be required to plug in strong passwords. These PINs need to be complex, involving a random series of characters, symbols, numbers and cases. The more intricate and lengthy they are, the safer your business network will be.
3. Adopt Multi-Factor Authentication (MFA)
The term “multi-factor authentication” sounds technical, but it’s really very simple. It just means that, in addition to passwords, you require a second way of getting into a network. It’s a little like having a key to the front door but also making someone plug in a combination before entering your home.
When Mr. Gates evangelized the end of the password, one the most common ways of accomplishing this was through a token card that generated a random set of characters users would plug into a computer after entering their password. The RSA SecurID was one of the best known digital keys and is still popular today.
However, there are a host of biometric methods that are easier to use. For instance, many laptops and smartphones now come with optional fingerprint readers. We’re also seeing other interesting options emerging, such as facial recognition, heart rate authentication and Apple’s Face ID and Windows Hello, which are option on select HP products.
Every business should evaluate and strongly consider each of these options as logical security reinforcements for vulnerable employee passwords.
4. Keep passwords out of sight
The worst habits of workers die hard, and one of these is jotting down passwords on sticky notes, in notebooks or spreadsheets or in email folders.
We all do these things. After all, we trust our fellow employees, and most of us don’t expect someone to be standing over our shoulders waiting to jot down our passwords. Unfortunately, hackers come in many forms. They can be part-time workers or the night janitor. They can be contractors trolling the hallways. They can be disaffected colleagues. And they can even be industrial espionage spies. You never know.
That’s why businesses need to have a strong policy in place that not only discourages employees from being careless with passwords but penalizes them in some way, possibly including termination, if their negligence allows passwords to fall into the wrong hands.
Organizations might also consider providing employees with computer screen protectors that make it difficult for someone to see you entering a password or any other content. For that matter, HP® offers an optional, integrated HP Sure View privacy screen with touch screen versions of its HP EliteBook 1040 laptops that are worth considering.
With almost 60 percent of employees taking their work outside office walls, HP Sure View integrated privacy screen helps users work confidently from any location without fear of data on the screen being exposed to visual hacking.
5. Offer password management options
Did we mention remembering and managing passwords can be painful?
Fortunately, there are a host of pretty good password management systems, like LastPass, that make doing this simple. As a concerned business owner, think about offering one of these solutions to employees.
With these programs, users enter the sites they frequent and input logins and passwords for each. That information is then auto-filled when they visit those online locations. It’s easy to regularly update passwords through the app without having to remember them each time.
And while no application is 100 percent secure, most of these solutions are built around some form of hard encryption. Prices start at about $2.50 per month for individual users and $4 per person each month for businesses.
Passwords are one of the weakest forms of user authentication ever invented, but they are here with us for the foreseeable future. As such, everyone needs to take steps to buttress their networks with other more modern security tools and practices.