Password policies can be frustrating for you and your employees, and many companies do a poor job explaining why they should be in place. Here’s how they help your business stay safe from security threats.
The One Key to Rule Them All
Sometimes people need to provide a spare house key to someone so that person can access their home. Maybe they have a pet sitter or a house cleaner that visits, or the neighbors have a spare in case of an emergency. Maybe they’ve provided one to trusted family members or friends, or even lent a key to someone for one-time use but forgot to get it back.
Imagine this describes you. Now imagine that key had your address printed on the key, and also allowed access to your credit cards, file cabinets, and personal safe. How many copies of that key would you hand out before you started to think it might be time to change the locks?
Most likely, your answer to this is either one or two. Unfortunately your employees aren’t this careful. In fact, many of them have handed out master keys like this to dozens of companies.
Don’t Make a Master Key to Your Life
According to a study by security firm McAfee, the average consumer has 23 online accounts. One-third of consumers use three or fewer total passwords for all of them. In some cases, users have only a single password that unlocks dozens of online accounts.
Imagine that an employee’s daycare provider, pizza delivery, or dog walker’s website gets hacked, and their login credentials on that site are (1) their email address and (2) the same password they use on every other site. The hacker will now be able to login to their accounts at dozens of major websites with the exact same username and password.
For instance, if the employee uses Amazon, Dropbox, and Gmail, the hacker now has access to all of those accounts. That means the hacker can enjoy a shopping spree with their credit cards, view their personal files and read all of their email correspondence. This is all because one local small business had poor password security.
It’s not just personal data that can get stolen, however. With minimal work, the hacker also has your employee’s work login and password. That’s because it’s easy to guess most companies’ computer logins by simply looking at the way their employees’ email addresses are formatted. If your employee is recycling a password from an online account that gets hacked, then the hacker has all they need to gain access to everything on your network that this employee can access (unless you’re using multi-factor authentication).
This is why it’s so important for employees to use unique passwords for each of their work-related accounts, even though it can be more cumbersome and frustrating than having only a couple of passwords.
Change Your Passwords Regularly
You also want to make sure your users change their passwords periodically. Here’s why.
This is a (long) list of major organizations that have either (1) been hacked, (2) lost computers with password lists, or (3) accidentally published passwords online. This list represents more than 10 billion user accounts – more accounts than the number of people on Earth. Some companies even managed to lose millions of passwords multiple times, including Facebook, JP Morgan Chase, Citigroup, AOL and Yahoo.
If your employees had an account on these sites, the odds are good that their login information is floating around on the Dark Web for purchase. If you require a password change every 90 or 180 days, however, only a handful of hacks (the most recent ones) are likely to have shared passwords with your network.
Forcing password changes also makes it far less likely that your users will have a recycled password for their work login. Their first work login might be recycled, but once they’ve been forced to change their password a few times, they will be out of passwords to recycle. They will be forced to come up with a unique password, which will improve your company’s security posture dramatically.
Do you want to learn more about how WingSwept can help protect your business network from security threats such as recycled employee passwords? Give us a call at 919-460-7011 or email us at Team_WingSwept@WingSwept.com and ask about our Managed IT Services offering.