Tackling poor password hygiene habits head-on

Alvaro Hoyos, Chief Information Security Officer at OneLogin.

  • 6 years ago Posted in
No matter which sector an organisation operates in, the only certainty in the current business world, where survival - and ultimately success - is determined by immediacy, and often globalisation, is that all businesses must digitally transform their operations. Digital transformation promises significant cost savings, better cross-departmental and cross-border collaboration, improved customer service, and data-driven insights to inform better business decision making. But, every business’ digital journey brings with it a set of new pressures and challenges. Not only must companies become more agile, but the increased use of digital technologies such as the cloud, big data, mobile, internet of things (IoT) and artificial intelligence (AI) are bringing challenges when it comes to security, compliance and data protection.
 
Although digital and security go hand in hand, and cybersecurity has become a strategic point for digital businesses, I’ve noticed that in many cases, security basics are remaining an afterthought.
 
The humble password has long been the first line of defence against hackers in modern computing, and although the technology-led world we now live in appears to be outgrowing the password, it still has a vital role to play alongside other layers of technology and mustn’t be overlooked. Failing to have adequate password policies in place will leave the doors open for brute forcing, exposing sensitive corporate data to those with malicious intent.
 
Recently, OneLogin’s research[i] revealed that 85 per cent of IT decision makers feel they have adequate password protection measures in place. But most are failing to enforce even the most basic password requirements, putting their businesses at significant risk of data breach. On an even more worrying note, less than a third (31 per cent) require employees to rotate passwords monthly, and a further half (52 per cent) admitted to only requesting password rotation once every three months.
 
Death of the traditional password
Weak passwords have plagued businesses for generations. The fact is many are going through the motions and see them as something that must be put in place to show they are simply ‘doing it’, but not seeing ‘passwords’ as the first major hurdle to data protection.
 
Although many businesses require passwords to be a minimum length, a mix of upper and lower case, and to use numbers, the majority are failing to enforce any further password complexity requirements on employees. Only 37 per cent of those surveyed ask employees to check their passwords against common password lists (an obvious criminal-proofing tactic) and 39 per cent don’t even require employees to use special characters.
 
The truth of the matter is that the ‘traditional’ password is dead as they can be compromised very easily. This is due, in part, to the substantial number of stolen credentials - over three billion accounts from Yahoo alone - and the fact that people often use the same password across multiple accounts. So, “John Doe’s” Yahoo password might well also be his password, for, say, his Barclay’s bank account. Even worse, many people follow the same predictable patterns when choosing passwords, e.g. “1234567” and so on.
 
Hackers know this and run scripts that use these lists - both common password lists, and stolen password lists - to automatically try many different username/password combinations on many websites. Try enough doors, and eventually, you’ll find one that can be unlocked.
 
These password lists circulate through the hacker community over time. So, the way to stay ahead of the hackers is to change passwords regularly, so that even if your password has been previously leaked, you’re on to using a new one.
 
Tackling poor password hygiene habits
To avoid playing into the hands of hackers and to tackle poor password hygiene habits, employees should be encouraged to use passPHRASES, not passwords. A phrase such as “will Manchester United win the premier league in 2018?”, besides being a question on the lips of fans, is not only easy to remember, but it also meets character criteria (numbers, uppercase and special characters), is easy to type and is hard for a computer to guess in a brute force manner.
 
In conjunction with passPHRASES, the use of multiple-factors of authentication must also be encouraged, including MFA apps. An MFA app generates a one-time password (OTP), also known as a token, that is valid for only 30 seconds. Even if hackers guess a user’s password, they won’t be able to guess a randomly generated one-time password before it expires. However, SMS’ must not be used to send OTPs, as hackers can socially engineer telcos into switching accounts to different phone numbers they can control, enabling them to get the OTP, and log into the account. OTPs sent via SMS can also be viewed on locked screens, meaning they can be visible on a stolen phone.
 
MFA apps also have end-to-end military grade-encryption that remains secure even over untrusted networks, unlike OTPs sent via SMS. However, MFA apps should only be used on phones that haven’t been jailbroken, since they can contain malware that can intercept OTPs and send them to hackers to log into apps. By using MFA apps on phones that are protected via passcodes, Touch ID or Face ID, OTPs won’t be revealed on locked screens, and even if a phone has been stolen, the phone cannot be intercepted to reveal OTPs.
 
Finally, applications should be secured via Adaptive Authentication that looks for anomalies in the login process. For instance, users logging in from an IP address known to host malware, from a country that they never usually log in from or even a new device that a user hasn’t previously used. In all these cases, IT should at the very least be notified, and in some cases, access denied.
 
If all these steps are followed not only will hackers’ lives become harder, but IT teams and CEOs can be safe in the knowledge that sensitive corporate data is secure from hackers’ malicious hands.
By Barry O'Donnelll, Chief Operating Officer at TSG.
The cloud is the backbone of digital cybersecurity. By Walter Heck, CTO HeleCloud
Why businesses need a bigger boat for tackling IaC security By Robert Haynes, SCA & Open Source...
Cybersecurity continues to be a major challenge for companies, with as many as four in ten...
Zero trust security clearly offers the most efficient and cost-effective way to secure the...
The increase of ransomware attacks over recent years has cast a spotlight on the need for...
For CISOs around the world it seems at every turn, they are being told to implement Zero Trust....
SASE is causing a buzz right now, and for good reason. By Jonathan Lee, Senior Product Manager,...