In our first Cybersecurity 101 blog of this series, we asked you for just 97 seconds, which is actually the same time an average hacker needs to crack your average password.

Password security is a much more personal theme to discuss around cybersecurity. Your business can pay for firewalls, install top antivirus software and use the latest endpoint monitoring, but in truth it will all go to waste if one member of your team lacks “Secure Password Culture”. We have chosen SPC because if you can change the internal culture of our staff around password security, that first line of cyber defense will become ever safer.

There are thousands of articles around password security available online. We are pooling some of the more practical ideas and  adding our experience in cybersecurity as a Managed Security Service Provider, and we hope to offer some key points that will help promote that Secure Password Culture throughout your business. Some shocking facts about passwords, some do’s and don’ts, and some practical password choice tips and suggestions, are all included in this week’s blog. One great article that I would like to reference is by Lily Teplow, Public Relations and Media Specialist at Continuum, where she says: “Passwords are the first line of defense against malicious activities in the digital space.” Lily Teplow – Continuum

Secure Password Culture 101

The fact that the most simple of online accounts are now insisting that your password reaches their required security levels, indicates that password security is finally being recognised as the font line of cyber protection. The main problem that we hear from clients involves comments that describe terrible difficulties in password management, I use the term “terrible” in a slightly sarcastic way here. Some of these difficulties are described as follows: “I already have 4 other passwords to remember”, “Why can’t I use the same password for all of my accounts”, “how is that possible, only my staff know that password” and the classic “you are our IT provider, you should have a list of our passwords”. All of these demonstrate a need for certain adjustments in our way of thinking when it comes to passwords.

First of all, as a business owner you should compare the hundreds of hours that could be stolen from your company in the event of a data breach, with the couple of hours that it takes to create a safe password policy for your staff. In actual fact, there are very few elements involved in creating that password policy. It could easily be built around a set of simple questions:

• Who has passwords to which company accounts? Who really needs them?

• How strong (complex) do our passwords need to be? How do we measure that strength?

• What is the best/safest password structure? How can that also be user friendly?

• How often do passwords need to be updated? How can we enforce that company wide?

• How can understanding cybercrime help to promote our Secure Password Culture?

Who has passwords to which company accounts? Who really needs them?

Many of our suggestions will be easier to implement in small and medium sized businesses, but the same principles apply to team of 3 or 100 members. Much of your important company data will be stored in accounts that offer shared access, to multiple users, but over a period of time the password policy may have lost some coverage, and that now needs addressing. Individual accounts within a business are not the same as personal accounts that employees use for all of their personal data and cyber activity. We are not discussing the incorrect usage of personal accounts for company data today, but needless to say many GDPR breaches are related to this bad habit. Our focus is on that secure password culture for all business account passwords whether they are shared or individual. Your first real step in the right direction will annoy a number of people but it is necessary to progress with your password initiative. From your position of company admin, you must compile an exact list of who has access to passwords for all the different business accounts, why they have them and if they really need them. You will be surprised just how many extra people have the “keys to your business”. Once you have this knowledge up to date you can start to construct and implement your password improvement plan.

How strong (complex) do our passwords need to be? How do we measure that strength?

We cannot offer concrete rules about how to construct the perfect password, but we can consider some great tips on best practices for your business security. On the point of strength of password, obviously a combination of 20 digits that includes all possible permutations of capital and lowercase letters, numbers and symbols would be fantastic, but at the same time almost impossible for a user to remember, thus forcing them to write it down and the whole original purpose is then lost. You can ask a number of trustworthy websites online just how solid your password is, other sites can help you create a formula for safe passwords. It cannot be an exact science as cybercrime is also evolving but it is wise to check your passwords. Here are a couple of examples to help you think about your own Secure Password Culture (I put these in online to check): princess and football were in the to 20 of 2018’s most used “rubbish” passwords in the UK and both would take 0.4 seconds to crack , whereas qwerty and 123123 are slightly less rubbish at 1.1 seconds. At the other extreme when you start to combine elements your security vastly improves: 1966@Bobby@Moore is at 586 Trillion years to crack or even My#Toast#Marmalade55 is sitting at 1 Trillion years, both very solid and not too complicated for the end user. At the end of the day, the system and design of the password structure is your choice, let’s talk about how to achieve the required levels of security.

What is the best/safest password structure? How can that also be user friendly?

Again there are many practical suggestions available around choice of password structure and rather than suggest the “best” option it is good to consider the most practical for your team. The worst option is clear, everyone does their own thing, using single passwords across multiple accounts, mixing business and personal and never updating passwords over time. That is easy to achieve, and is the standard password model for millions of small businesses across the globe. Not for you and your business though.

There are systems that choose 2 or 3 completely random words, easy to remember but in no way related to you personally. Not your kids’, pets’ or towns’ names. No numbers related to your personal information; date of birth, wedding dates or special years. Those 2 or 3 random words are then connected by random symbols or numbers. Sounds complicated? Not really, for example: grave, pancake, indigo then becomes Indigo#Pancake#Grave7724 (don’t use any of these as this is public) you have taken 3 random words and created a 24 digit unbreakable password, which you could easily remember after 5 or 6 uses. Another popular method is the simple phrase password: Open Custard Creams (the action of splitting a biscuit that is very popular in the UK) if you add in numbers and capitals to the phrase you will also have a very safe, original password: 9opeNcustarDcreamS, again, a very safe password. You might choose to discuss you company password policy with your key team leaders, and then share the good news with the entire team. Many clients have chosen our centralised password management software, in our monthly support packages.

How often do passwords need to be updated? How can we enforce that company wide?

Most online application management systems, and in-house systems at admin level now offer and even suggest password policies. These include some points that we have just mentioned such as password length and configuration, password strength monitoring and even stolen password alert systems. They can also enforce device lock-down after 3, 4 or 5 wrong password attempts, securing the device or the account being logged into. One important feature that is now available involves two related aspects of password management.

Firstly you can avoid constant automatic logins, where day after day your users login to their desktop or laptop and are automatically logged in to everything via their web browser. Yes this is handy for the user, but it becomes a cyber security risk very quickly. Most admin panels will now allow you to set a time limit in which the user will be forced to login with their password. Again as an MSSP many clients call the helpdesk and say: ” I just don’t understand, I never have to login to Outlook, and today it is asking me for my password!” That is a fine example of security awareness and the benefits of Secure Password Culture, each team member will have to move with the company policy.

The other key question there is what about actually changing or updating passwords. Let’s be quite transparent about this point. If your password has been hacked, shared, lost, gifted, call it what you want. The new shared owner of your password now has the keys to your digital home! What would you do in real terms if your house keys were blatantly stolen: A. Do nothing and believe that you are safe. B. Wait and see if anything bad happens to your home or C. Change all your locks at home to protect your family, and maybe even increase your home security. If you answered A or B this link will take you back to the start of the article! Now, answer C is the only safe option. So if your are aware of a password breach, or even feel a doubt about the safety of a certain business password, the very first action is to change that password, immediately.

Other than serious password breach situations, companies are starting to request password changes every few months, for the simple reason that company passwords might well have been stolen without you knowing. If they are up for auction on the Dark Web they will not be used immediately. They may sit out there for weeks until the right cyber criminal wants data from your business. So if you have a quarterly password update policy your add an extra layer of security to your front line. There is an exception to that practice, because if “Brian in accounts” is going to change from Brian1 to Brian2 and then go all out to BRIANTHREE, then all that we have discussed previously has already been ignored and password updates will be a waste of time.

How can understanding cybercrime help to promote our Secure Password Culture?

We have now discussed 4 sets of key questions around SPC, and that secure culture is something that needs the right processes to permeate every corner of your business. It is also good to understand just a little about how password hackers think or operate, and maybe understand why the measures that we have mentioned are so effective. Here are just 3 common methods to ponder over:

• Guessing: It was always fun to try and solve a numerical bike chain or your mates 4 digit locker number back at school. You would spend a good time spinning the numbers to see if you could crack the code. Modern criminals have software the crunches millions of numbers and possibilities in seconds. The easier or lazier your password is, the faster your identity will be stolen or your business will be in breach of GDPR.
• Phishing: Ah, those dodgy emails that everyone is warned about. Not only emails, websites that ask for your password to open a certain account or download a free gift voucher, there are millions of phishing schemes onlines, with the unique goal of knowing your passwords. Be careful. You must have a look at this video to really understand how easy we can make it for them: How Private is your Personal Information? 
• Shoulder Surfing: There are just a few of us at the office, so I decided to investigate this further. Whenever you tap your password in to your phone or device in any public space, someone could easily be watching or even filming your screen. Before you know it you have gifted your private password to a stranger. In larger corporate offices, you never know who is looking over your shoulder or what their intentions are, so please take this aspect seriously. Don’t forget your debit card PIN number is a password, if you share it, you are open to suffer the consequences.

We have mentioned this before in previous Cybersecurity 101 Blogs, but is is so important that we have this in mind. Cybercriminals do not care who you are, what you do or what your business is. Their major business is getting hold of your  personal and business data. Your business data also includes every digital detail that your company holds about all of your prospects, clients, suppliers and even employees. What would happen to your business if, through fault of one weak, old, shared and now breached password, all of that data became public?

What are the concluding Do’s and Don’ts that you have been able to identify, shall we choose 5 and 5 to get started:

DO:

1. Take Password Security Seriously – create different passwords for different accounts
2. Keep personal and business passwords completely separate
3. Be aware of any forms of phishing or shoulder surfing, protect your passwords 
4. Follow the company password policy: Length and strength criteria and periodical changes of passwords
5. Act today: Change those weak or publicly shared passwords and let security give you peace of mind

DON’T:

1. Be Password Lazy – Easy passwords, written on post-its, gifts for hackers
2. Store all of your passwords on one “secret” document on your PC or Mobile phone
3. Tell websites or applications to “always remember your password”
4. Give up your passwords to anyone, even your manager has no need to ask for your password
5. Share passwords via text message or email or online for any reason

Please do have a look at our website yourcloudworks.com drop us a phone call if you would like to discuss cybersecurity or Business IT Security and Support. I you have found this article beneficial, please feel free to share with a friend, or your team members. Don’t miss out on your FREE Dark Web Business Identity Scan here below.

Now you can request you FREE Dark Web Business Identity Scan. This scan will help you to answer some of the Cybersecurity questions raised in this article. Find out if your company has already suffered data breaches, and your credentials are available on the Dark Web.