SMBs have a lot to lose if they don’t put password security policies in place.
By Terri Coles
Password security requirements become more daunting all the time: first a required number of characters, now the required inclusion of numerals and symbols and restrictions on letter combinations. But considering how much information just a single insecure password can reveal, the rules seem to be a necessary evil.
For businesses, the problems begin when those rules become so onerous that employees find ways around them, or compromise security in different ways in an effort to remember their increasingly complicated passwords for a growing number of devices. How can smaller businesses strike a balance between ensuring their sensitive information is protected and making the rules simple enough that their employees will abide by them?
Why password security matters
One thing is clear: password security is an important issue for small and medium businesses. “Protecting user credentials and passwords” was cited as the second-most important security concern by SMBs in a recent survey conducted by Penton.
Password security is a concern, too, as companies consider embracing Bring Your Own Device, or BYOD, policies for their employees. Read more: Security threats pose big hurdle for BYOD.
“For an employer, they’re going to have enforceable rules on their own assets,” says Troy Hunt, an expert in online security and author of technology courses for Pluralsight.
Companies support those rules with policies—which can vary from business to business—but include restrictions like requiring that passwords change regularly, preventing users from repeating a recent password, and so on. Common standards today include requiring passwords to be at least eight characters long, to contain both lower and uppercase letters, and to contain numbers and/or symbols as well as letters, he says.
These restrictions serve an important purpose by attempting to prevent an attacker’s ability to compromise individual accounts. But businesses need to consider whether the rules can become counterproductive, Hunt says.
The ideal password is something that’s both strong and unique; the more logins a person has, the harder that is to achieve. By the same token, the more work-related accounts your employees have, the greater the chances their passwords won’t be as secure as they should be.
If a password is too complicated, or changes too frequently to be remembered, people will find ways to keep it handy, Hunt points out. Those behaviors, such as writing it on a sticky note on their desk or using a password that changes by just a character or two on each update, can present security concerns of their own.
“You have to give people the tools to actually adhere to the policy,” Hunt says. “Either you have to compromise on [password] strength or reuse or you have to manage them, which is when your password manager comes in.”
How password managers help
A password manager is a service that stores all your login credentials—usually via encryption—under one account, which itself is protected by a single password used to access all your other password-protected accounts and services. These types of services are popular with individual consumers, who have to manage a variety of passwords in their non-work lives, but many services also offer enterprise versions aimed at businesses that want to offer the service to employees for their work-related accounts.
There was some concern when LastPass, a popular password manager, was compromised earlier this year, exposing email addresses, password reminders, authentication hashes, and data added to passwords to make them harder to crack. The cryptography applied to passwords is so secure that your information still could not have been easily deciphered, Hunt says—unless you were using particularly weak passwords.
Using a password manager does amount to putting all one’s eggs in a single basket, Hunt concedes, but he also points out that it’s a basket you’re watching closely. Employers should work on providing their employees with password-management tools that help people use strong passwords that they can actually remember and use securely, he says.
“I would still rather, any day of the week,” Hunt says, “commit my password to one very safe manager than to rely on memory.”
In other security news, read how being lax about protecting customer data can bring your business unwanted attention from the Federal Trade Commission.
This article was underwritten by HP: Introducing HP BusinessNow, the right technology to help your business grow. To register your business for a $25,000 tech makeover please visit: http://www8.hp.com/us/en/solutions/businessnow/contest.html