Tip #9: Protect against personal passwords.
Data breaches are now seemingly part of everyday life. Hackers want personal data and passwords, both plaintext and encrypted, exposed — sometimes by first getting a hold of an employee’s password on their personal email or social media account.
From an internal security standpoint, you might ask, “My Company’s data hasn’t been breached. Why should I care?” There are two primary reasons:
- Password reuse
- Credential stuffing
Individual users commonly reuse passwords among different services. While your password data may not have been breached, a password one of your employees used for another resource may have.
Credential stuffing is the process of taking a user’s breached password and “stuffing” it into the login for many, perhaps hundreds, of sites — looking for sites where the same password was reused. If successful, the threat actor now has access to that user’s resources, perhaps their online banking portal or other critical and sensitive information. Those hundreds of sites could include your external login portals.
Additionally, modern hardware is capable of cracking encrypted weak passwords in very short order. The “protection” provided by encryption is no longer a reliable protection for passwords.
Steps you can take
What can companies do to protect themselves from these issues? There are three primary things that can be done:
- Use password managers: Password managers help employees generate strong, unique passwords for each and every resource an employee uses without the burden of having to remember a bunch of different passwords. This helps prevent credential stuffing when a password for a particular resource is breached; the breach of one now does not mean the breach of many.
- Setting “good” passwords: In the absence of a password manager to help randomize unique passwords, selecting properly constructed passwords is important. Do not use common constructs like years, seasons, months, sports teams and other easily guessable strings that would make it easier for a threat actor to guess or crack the password. Again, password managers help in this regard by generating unique randomized passwords that do not suffer from the issue of reuse.
- Training: Employees should be trained in the use of a password manager if one is provided by the company, and in the selection of good passwords regardless. Employees should be taught why password reuse and credential stuffing are problems and that these issues extend past their work life. All the same issues apply to them personally as well.