We recently heard an anecdote from a security executive that illustrates the need for much stronger password policies at cities. (We altered the details of the anecdote to protect our source. However, the gist of the anecdote will make his point clear.)
An organization in Georgia has 1,000 employees. During a security audit, 117 employees were found to be using the password “Bulldogs2019.” Immediately, the security executive implemented a stronger password policy that caused employees to reset their passwords and eliminated the chance of such a common password from being used in the future.
What’s interesting is that each employee selected their password individually, thinking it was unique! None of the 117 people knew about anyone else’s “unique” password.
In the past, we've often blogged about bad passwords (like "123456"). Encouragingly, city employees have realized that using such bad passwords is, yes, a bad idea. However, a false sense of security can creep in and make them think any other password is okay. That’s when people think of “unique” passwords like favorite sports teams, TV shows, celebrities, pet names, and children’s names.
But think about it. If you’re using words that are popular or common, then others will use them too. And hackers know this. In other words, we think we're using unique passwords—but they really aren't unique.
How do you stop this problem from occurring? Read on for three ways that you can enforce a better password policy—from good to better to best.
Enforcing the use of strong passwords avoids the issue of employees choosing common or easily hackable words and phrases. Strong passwords may be:
Strong passwords are a good tactic, but hackers can still crack them with enough effort.
If you haven’t heard about password managers, they are services that automatically generate strong passwords, remember all your passwords, and encrypt them. In other words, a password manager helps you implement specific password best practices without you having to think about it. Your IT staff or vendor can help you implement a password manager across your organization. Once implemented, they tend to work smoothly in the background and make your life easier.
Some benefits include:
Last year, we wrote a post titled “Two-Factor Authentication: The Benefits Vastly Outweigh Any Inconvenience.” In it, we made the case for implementing 2FA at your city and mentioned, despite what you may hear about its inconvenience, that it is quick to log into and you don’t need to log in multiple times each day. Benefits include:
Many strategies exist to avoid the issue of employees selecting, even unknowingly, weak passwords that can compromise your security. While no perfect option exists, we encourage you to explore the options discussed above and implement the strongest password policies possible. Doing nothing, though, puts your city at great risk.
Need help improving your password policies? Reach out to us today.
Original Date: 8/28/2019