Sophos Cloud Optix
When it comes to IT security, very small businesses and micro-enterprises are in a tight spot.
They’re almost always heavily dependent on computers but not large enough to have dedicated IT staff; everyone is busy doing their day job (and probably a few other jobs as well) and the ‘IT cap’ is simply handed to the least non-technical person.
In those circumstances, knowing what to do, what’s important and where to start with computer security can be very difficult and in my experience the first casualty is often a company’s passwords.
Despite the rise of biometrics and two-factor authentication, almost everything we do on our computers is still secured using passwords, so getting them right is a vitally important first step.
I’ve compiled a list of four common password mistakes that I see when working with small companies. If you can avoid them then you’ll have put your security on a stronger footing.
Anti-virus – you need it but it’s not enough
OK, I just said this article is about passwords but I think it’s important to start with a word about anti-virus.
Whatever the state of security awareness in a very small business the chances are that there’s one thing everybody will agree on; that they need to run anti-virus.
That consensus can have a chilling effect on other aspects of computer security though, because to a lot of people anti-virus is computer security and once it’s installed, security is a done deal.
Unfortunately installing anti-virus is the first step, not the last.
You need to ensure that all of your devices; PCs, Macs, tablets, Linux servers and phones are using anti-virus and that they are updating successfully.
And then you need to read on…
Fear of forgetting leads to awful passwords
One of the reasons people use weak passwords, and then weaken them further by sharing them and using them over and over, is because they’re afraid of forgetting them. (I once had a customer who wrote his Windows password on his computer monitor because he was afraid he’d forget it. His password consisted of two letters; his initials).
To overcome the fear of forgetting your passwords you’ll need a place you can keep them safe and always find them.
It doesn’t matter much where it is – it might be a keychain application on your computer, a website like LastPass, a leather bound book or even your own memory – what matters is:
- You know where it is
- You can control who has access to it
- It is the only place your passwords are kept
- It can store hundreds of unique, strong passwords
Once you have decided how you are going to store your passwords put the ones you can remember into your safe place. Gather up any notes, files and post-its where you’ve written your passwords down and copy them over too.
When all of your passwords have been transferred to your safe place remove all traces of them from anywhere other than your secure location. Clean your passwords off whiteboards (or computer monitors), delete them from computer files and shred or burn any pages or post-its where you wrote them down.
By creating a safe place to store your passwords you’ll free yourself to choose complex passwords that you couldn’t otherwise remember.
Which is what we’ll do next…
Passwords are easier to crack than you think
When we talk about strong passwords we mean passwords that a powerful computer will have difficulty guessing.
This isn’t the movies and we’re not defending ourselves against elite hackers whose second guess is always supernaturally lucky.
Your passwords are at risk from computer programs that can guess thousands of passwords a second and are able to understand some of the tricks you use to make passwords more obscure.
A short while ago I was given some old computers by a small business that had recently folded.
As an experiment, and with the previous owner’s permission, I booted one of the computers using a password auditing tool.
Running on the defunct company’s own old hardware, the software guessed the admin password for the first machine in under ten seconds.
The password was an eight letter word (the company name) with a zero in place of an ‘o’ to make it difficult to crack.
The computer, it turns out, was the machine holding the company accounts.
Using dictionary words and paying lip service to security with a few numbers and wacky characters where there should be letters simply isn’t enough.
Use 14 characters or more and switch as arbitrarily as you can between UPPER, lower, d1g1t5 and \/\/@ckies.
If you’re wondering how you’d ever create a password like that I suggest you use a random password generator.
Now you control access to your passwords and you’ve made sure they’re all good and strong it’s time to stop sharing them.
Your password isn’t secure if you give it away
When I work with a small business or micro-enterprise they generally have to give me access to one or more of their systems.
I am staggered at how often I’m simply handed a long list of admin passwords (often for systems I don’t even need access to) that are shared by everyone at the company.
Account sharing like this is a really bad idea, not least because:
- If something bad happens you can’t tell who did it.
- It makes your more vulnerable to social engineering.
- It makes changing passwords too painful to bother with.
- Everyone with a password can cause maximum damage.
- You don’t know who else has your passwords.
One of the reasons that people in organisations share passwords amongst themselves and with outsiders is because it’s incredibly convenient.
Keeping accounts separate and passwords secret is a bit like taking daily backups – most days it’s a small inconvenience and you won’t feel the need for it, but you do it because on the one day you do feel it, you’ll really, really feel it.
Unfortunately you’ll just have to bite the bullet on this one. Yes, it’s a little bit more inconvenient to make sure everyone has their own account but it’s no different than limiting access to your front door keys.
Every person who needs access to a particular system should have their own account with a unique password and the lowest workable access level.
Next steps
Take a look at our 4 free tools to boost your security and do our 3 essential security tasks (the tasks are aimed at families but they’re great advice for micro-businesses too).
Larger organisations with the time and resources to test passwords and enforce password policies should read Ross McKerchar’s Practical IT: Passwords 101 for businesses.
Darn true, I’ve seen password written down on stickies, too. To me, a single sign-on is the best solution: one token accesses what you need and you don’t overwhelm users with 200,000 passwords impossible to remind.
I use a mix of XKCD/936 compliant passwords, derivatives thereof and “as long as allowed” mixed upper, lower, digits and (where allowed) wackies, depending on what sites allow. I use LastPass to manage them.
I’ve known some dodgy password management techniques, though.
No user will ever use d1g1t5 and \/\/@ckies for a PW, especially if the admin logs off the computer every 10 minutes. My son has a fingerprint reader on his laptop, works like a charm, wish more had that feature.
Fingerprint readers are unfortunately not reliable, so you often need the password. Apple’s implementation in the iPhone is the best I’ve seen, and it’s still not perfect. IMHO, these are best as 2FA devices rather than the sole method of access (especially if it’s a small business or a machine containing sensitive information).
Interesting legal note (in the US, anyway) – you can’t be forced to reveal your password, because it is legally a form of testimony, and that falls under the 5th article of the Bill of Rights – the right to not incriminate yourself. But a fingerprint is evidence, and as such, can be compelled. So, if you are arrested, and your phone is locked, the police can’t legally make you unlock it with a password, but they can force you to place your fingerprint on it to unlock it.
Oh yes – and the 5th doesn’t apply to third parties. That’s one of the reasons that Apple no longer keeps a master password. Although YOU can’t be compelled to reveal your password, if a third party knows it (or has an authorized way of accessing the information), they CAN be compelled. And you don’t necessarily have to be notified. Apple avoided a whole mess of potential surveillance law problems by their decision to discontinue master passwords.
Not a lawyer, yada yada, but just completed a course in Surveillance Law in which this was discussed.
I use a three-letter abbreviation of the website within a static group of other upper and lowercase characters/symbols/digits. My password for Sophos.com, for example, might be something like “&SOP-I8SumP1!”… for CNN, it might be “&CNN-I8SumP1!”. Since the only part that is unique to each site’s password is the three-letter site abbreviation, remembering many passwords is fairly easy.
I ate some pie… tee hee
Problem here is that if someone sees two of your passwords, the rest are staggeringly obvious.
So this is better than having the same password for every site, but not by much.
Part of the problem is that Security people see security as their job and believe everyone else feels the same, whereas other people see their job as getting their job done. People share passwords because it allows them to do their job when the incumbent isn’t available. They write them down or use simple ones because they want to get their job done with the least amount of fuss and bother. IT often works at cross purposes to getting the real work done. In my work we can’t install programs on our system, so I can’t use a password manager, so I have to use three similar, not very strong passwords (that just meet IT guidelines) in order to get in to my programs to do my work. At home I use very strong and completely different pwds for everything and a password manager. IT security staff or consultants need to constantly remind themselves that the purpose of business is business and people will not comply if you don’t consider how they have to work.
Very true Gary. Having been both a Network Architect and having ran the security team at a global logistics company, I am acutely aware of the frustration that can be felt on both sides of the fence.
I often had to remind my security team that IT was a business enabler without which the company wouldn’t be able to operate.
I also had to constantly remind many of my peers, upper management as well as many every-day users the same thing. IT is a business enabler, without which the company couldn’t operate.
I was once told be a division VP that the company was just a logistics company; who would want to hack them? I asked if he realized that the company had multiple contracts with government entities namely, the US military – with multiple wars raging on wouldn’t he say that made the company one huge target?
I say this because most users (and management for that matter) don’t fully realize the impact of a compromised system. I am sure that the HVAC techs didn’t think anything of using the same weak credentials on all their remote HVAC systems – look at the fiasco that it put Target through. Sure, the techs were simply trying to make their jobs easier; but try telling that to all those people who had their bank accounts drained because of it.
Or how about the beauty pageant queen who had her photos plastered across porn sites? How much you want to bet her WebCam had a password like admin/admin?
The media often makes it sound like movie star hackers have invaded your privacy; but really all one has to do is a quick search on Shodan to realize just how weak most users are at securing their systems.
As Mark noted, complex passwords are just a small aspect of security.But it’s something everyone can take part in.
Sure, complex passwords can be a pain; but there are tools out there that can help out. With seemingly everyone using a smartphone there’s really no excuse for not using one. LastPass for example as an App that automatically syncs your passwords
True indeed Mark. Without a password manager I can’t imagine to handle my passwords. You have mentioned Lastpass, I use Sticky Password and there are many others, which is great. At least users can choose and also it indicated that this problem area is growing.
Small addendum to point 3 and the “old retired hardware” thing – if you’re not using full disk encryption, it’s pretty trivial to reset a Windows admin password to blank, as long as you can boot from CD/USB. So in that case long and complex passwords aren’t going to help much.
Even with strong passwords and full encryption, when you’re retiring old systems or drives it’s always wise to wipe wipe wipe (as I’m sure you told your folded friend).
What’s frustrating is the lack of vendor support and participation in using pass phrases. It’s much easier for users to remember something like “I like the color Blue” than a password made up of varying characters that they can’t remember and then write it down on a sticky note to remember it.
Some internet sites explain how short the password should be and how little to use – Uppercase and Lowercase and digits that is all they want, we are not allowed Special Characters and a Space, the less easy it is, to guess, is the better it is, yet the easiest to remember, the better it is to write all that down. A larger number of combination of things makes it harder.
I have kept the same password for twenty years, is this just wrong?