Reading Time: 5 minutes

5 MINUTE READ

Passwords—A Gaping Security Hole You Can Easily Plug

User name and password fields on screen
Joe Howland
Joe Howland, Chief Information Security Officer

Before you start reading this post, take our short password management self-assessment.

  1. Do you have your password written down somewhere on your desk to help you remember it?
  2. Do you use a simple, easy-to-remember password (such as your kid’s name, your pet’s name, or your birthdate)?
  3. Do you use the same password for many websites and applications you access?
  4. Do you share your password with co-workers just to make things easier?
  5. At work, do you save your passwords on your web browser so that you can log in without typing your password?

If you said “yes” to any of these questions (or feel as a supervisor that your employees would answer “yes”), then you’ve got a security risk on your hands.

Why? First, simple passwords are easier to crack. Nowadays, even inexperienced hackers have access to automated password cracking software. This software can easily crack short, common, and simply constructed passwords with ease.

Second, writing down or sharing passwords with co-workers may give others unauthorized access to data and applications. What if a disgruntled employee sees your password on your desk? What if someone you think is a trusted employee uses the password you share with them to gain access to unauthorized information?

Finally, even saving passwords on your web browser (like you do at home) is not wise when working for a municipality. All it takes is an unauthorized person to sit at your computer or a hacker to gain access to your device to access sensitive information on applications that you use.

So, what do you and your employees need to do? Implementing the following best practices will help plug these security gaps.

1. Do not write passwords down and leave them visible.

This is an easy security tip, but you need to make sure employees follow it. One tool that can help eliminate this problem is a password manager, which enforces the use of complex passwords, stores them securely, and automatically enters them when you log into applications. A reputable password manager can help employees avoid the temptation of writing down their passwords on sticky notes.

2. Use a password on all devices.

Many employees often use passwords on their desktop computers but it’s easy to forget to set up a password on laptops, tablets, and smartphones. Mobile devices are perhaps even easier from which to steal information. A thief or disgruntled employee can steal a smartphone in seconds and quickly gain unauthorized access to municipal email and applications. Protect all devices with passwords.

3. Do not use simple or obvious passwords.

Instead, use strong passwords such as long passphrases (like “The brown fox is 2fast!”) or complex passwords consisting of a mix of letters, numbers, and special characters. Strong passwords go a long way toward preventing hackers from getting into municipal applications. And if your password is one of the top 25 worst passwords below (according to NordPass), change it NOW!

1. 1234562. 1234567893. 123454. qwerty5. password
6. 123456787. 1111118. 1231239. 123456789010. 1234567
11. qwerty12312. 00000013. 1q2w3e14. aa1234567815. abc123
16. password117. 123418. qwertyuiop19. 12332120. password123
21. 1q2w3e4r5t22. iloveyou23. 65432124. 66666625. 987654321

 

4. Do not save passwords to websites and applications.

You may do this so that you can easily stay logged into your favorite websites and applications. However, if someone gets access to your device, then they can gain access to unauthorized information without even needing to crack a password. While web browsers have gotten better with password security, some exploits have targeted these cached passwords within the browsers.

As stated above, we recommend using a password manager that stores and encrypts passwords much more securely than a web browser. Also, enforce a policy at your municipality that employees cannot save passwords on even their most frequently used applications.

5. Change passwords regularly.

Yes, this annoys employees but it helps with security. The longer a password is in use, the more likely that hackers will be able to crack it. The more you change passwords, the more difficult you make a hacker’s job. Many cyber criminals focus on user credentials as the key to their cyberattacks. Once inside your systems, they can then attack you in more complex ways.

This is why phishing attacks are so common—and successful. They work. People are gullible and often hand over usernames and passwords without realizing it—such as getting fooled by a fake login site. It doesn’t matter how complex of a password you’ve created if you end up handing it over to a criminal. By changing passwords regularly, there’s more of a chance that a stolen password’s value has a limited lifespan.

6. Do not use the same password for all systems you access.

We know—another annoyance! But think about it. Let’s say an employee uses the same password for five different software applications that give access to confidential information at your municipality. If a hacker or disgruntled employee gets one password, then they have access to all five applications. Mitigate the chance of a data breach by requiring different passwords for each application.

7. Use multi-factor authentication whenever possible.

Many applications now offer the option of setting up multi-factor authentication (MFA), the process of adding another layer of protection to your security in addition to a username and password. For example, MFA may require you to first enter your username and password as normal. Then, you will get a code to your phone and input that code into a field that appears after you log in. In other words, you’ve added another “factor” of authentication that makes it more difficult for hackers. Even if a hacker gets your username and password, they must still have your phone in order to break into your application.

–-

Cybersecurity continues to evolve. In the future, passwords may go away and get replaced by different forms of authentication. Certain password-less methods have been around for a long time that center on something you own (such as a smartphone) or something you are (such as fingerprint or retinal scan). If these methods become more mainstream as factors of authentication, then the need for passwords may go away.

In the meantime, passwords are here to stay and they often represent a gaping security hole for hackers. By following the best practices outlined above, you will make your municipality’s cybersecurity much stronger.

Questions about the state of your municipality’s cybersecurity? Reach out to us today through the form below.

More from VC3