How secure is your password? Probably not very, to be frank. The past few years have seen one security breach after another that have caused millions of passwords to be exposed. The most notorious recent example was the Adobe breach of 2013, which compromised more than 150 million passwords.
Bad as they are, these breaches allow us to see which passwords are most popular . . . and it’s a tale of woe. At the top of the list is the impossible-to-crack “123456,” which in 2013 finally displaced good old “password” after its long run at #1. Other favorites — used by hundreds of thousands of corporate professionals, mind you — include “qwerty,” “abc123,” “iloveyou,” and the delightful “111111.” (We’ve collected these and other gems in our “Top 10 Fascinating Facts About Passwords” e-book.)
[Image Credit SutterStock.com]
Why You Should Care about Password Security
Because some of those otherwise sane people using “abc123” as the password for a sensitive business app work for you, that’s why. The history of security breaches shows that hackers don’t limit themselves to just the Adobes of the world; companies of all sizes are ripe for the picking. In fact, according to Verizon’s “2013 Data Breach Investigations Report,” companies under 1,000 employees are likely more susceptible to password-related hacking than their larger brethren.
What happens if you do suffer such a breach? Nothing good. At a minimum, it will force you to spend lots of time and money chasing down the details: where and when did the breach occur, which systems or accounts were compromised, and so on.
If a data breach puts sensitive information into the wrong hands, your company could lose its competitive advantage around key customers or products in development. If you’re “lucky” and it’s only customer account data that’s compromised, you still have to go and notify all of the people affected. Regulators are pretty serious about enforcing the rules about those disclosures, just as they are about levying fines for failing to comply to data-security standards.
And then there’s the negative PR. We can all agree that this one speaks for itself.
Why Is Password Security So Bad?
Most of us would agree that “password” is a ridiculously insecure password — yet it was used by more than a third of a million account holders affected by the Adobe breach. At some level, it’s easy to understand why. Even though we have the rules for creating strong passwords drilled into us at every turn, strong passwords are much harder to come up with, type, and remember than something simple like your dog’s name plus the year you graduated college. We know better, but we don’t do better.
It gets even worse when you consider the proliferation of apps and accounts that most of us deal with in the average week. You know the color bar that some apps use to show you how strong your password is when you first enter it? In theory, you should come up with a different strong password that turns the bar green for every single account you have. But it’s not easy to remember whether “8ost0n-R3dSox” is for your Salesforce account and “B0ston*R3d5ox” is for the payroll system, or vice versa.
That’s why people record their passwords on a sticky note stuck to their monitor, on a sheet of paper hidden in a desk drawer, in a spreadsheet called “Passwords,” or simply in the cache of their browser. In case it’s not obvious, each of those methods presents a security risk, no matter how strong the individual passwords are.
What You Can Do about It
It’s very unlikely that you’re going to be able to change human nature, so you can give up on the idea that your company’s employees will suddenly become more conscientious about their password practices. The person who needs to remember whether it was “8ost0n-R3dSox” or “B0ston*R3d5ox” is rare, to say the least.
By all means, keep reminding your staff of the good security policies you have in place, and review security measures with them at regular intervals. But also understand that you will have to take alternate measures, especially with the technology you deploy.
One key step is to move your employees onto a single sign-on (SSO) system that takes away the clutter of passwords. When you use SSO, people don’t need the sticky notes and the spreadsheets of passwords anymore, because everything is housed in that one highly secure system.
Yes, each staff member will have to remember one strong password — but just the one. The best SSO systems minimize the risk of that password being compromised by using an additional authentication step such as a biometric identifier (e.g. a fingerprint), a keycard, or a one-time-use passcode delivered through a separate channel (e.g. via text message).
You also want to make sure that the SSO follows your people wherever they go. Just like today’s cloud-based applications can be used from any computer, tablet, or smartphone, cloud-based SSO systems can provide the same flexibility and mobility for your workforce.
SSO systems allow your IT department to monitor centrally for anything suspicious, and to generate the reports that the regulators need to see for compliance purposes even when everything is going well. These systems also make it easy for the IT team to onboard new employees when they join the company, and to remove access to everything at a moment’s notice when anyone leaves.
Data security risks are growing every day as we all use more apps across more devices to do our jobs. But your business doesn’t need to join the ranks of the breached. Preach good security practices to your people — but back up that message with SSO technology that will save them from the temptation to entrust your company’s sensitive data to “abc123.”