by Zaun Bhana, Leap Consulting
Over a quarter use easy-to-remember passwords such as birthdays or peoples names, putting their accounts at added risk to be hacked.
The problem with reusing the same password is that if one site suffers a data leak and their password database is compromised, or if hackers
guess an easy-to-guess password, then all the accounts that use that password will be compromised too.
The reason why people generally use the same password for multiple accounts, or choose an easy to remember password, is that it’s difficult
to remember lots of different passwords for different websites, especially complicated ones. For most people, the fear of forgetting a
password outweighs the real risk of getting hacked.
The number of accounts being accessed in an organisation is often underestimated – industry reports say that the average employee has 27
passwords, but a report by Lastpass showed a number nearly 7 times higher. Businesses are often not able to accurately assess how often
employees are creating new accounts, outside of the apps sanctioned and provisioned by their IT departments.
This lack of visibility makes it difficult to enforce best practises. With no oversight over the cloud apps employees use for business,
these become vulnerable entry points for attack, and there is no protection in place against exposure of sensitive corporate data.
The implementation of Single sign-on (SSO) protocols, which allow a user to login to all the accounts they use at work with a single
password, generally focuses on integrating with the most used, higher-value apps in the organisation. Additional apps are once again left to
be managed by employees, incurring the same risks.
Even multi-factor authentication will not solve all password security challenges, as it would need to be enabled for every single login in
use across the organisation to adequately prevent passwords from being an easy target for attackers.
For passwords to be secure, they should ideally be as long and complex as possible, comprising at least 14 characters and a combination of
letters, numbers and special characters. The least secure passwords are those that contain words relating to personal data of the user.
Nicknames, birthdays, pets, song lyrics and quotations should all be avoided. Hackers use password cracking software that can try out 100
billion passwords per second.
But how to remember all those hard-to-crack passwords?
The recommended solution is to use password management software such as Lastpass, which acts as a password vault to store all of a users
passwords securely behind one master password.
Once Lastpass has been implemented, it systematically collects and organises all login credentials for all accounts, giving a much more
accurate picture of the extent of passwords in circulation in the organisation.
Using a business password manager to ensure passwords are randomized and properly stored will help achieve best practise. Lastpass ensures
proper oversight and accountability for shared credentials, and can be set to rotate passwords, apply role-based permissions, add
multi-factor authentication and decommission employee credentials after they leave the organisation or change roles. This solution means
that the increase in use of apps in the workplace is no longer a threat.
For more information about the contents of this article , please contact Zaun Bhana from Leap Consulting at firstname.lastname@example.org