Passwords—a gaping security hole you can easily plug

By JOE HOWLAND
VC-3 Chief Information  Security Officer

Before you start reading this post, take our short password self-assessment:

1. Do you have your password written down somewhere to help you remember it?
2. Do you use a simple, easy-to-remember password (such as your kid’s name, your pet’s name, or your birthdate)?
3. Do you use the same password for many websites and applications you access?
4. Do you share your password with co-workers just to make things easier?
5. At work, do you save your passwords on your web browser so that you can log in without typing your password?

If you said “yes” to any of these questions  then you’ve got a security risk on your hands.

Why? First, simple passwords are easier to crack. Nowadays, even inexperienced hackers have access to automated password cracking software. This software can easily crack short, common, and simply constructed passwords with ease.

Second, writing down or sharing passwords with co-workers may give others unauthorized access to data and applications. What if a disgruntled employee sees your password on your desk? What if someone you think is a trusted employee uses the password you share with them to gain access to unauthorized information?

Finally, even saving passwords on your web browser (like you do at home) is not wise when working for a municipality. All it takes is an unauthorized person to sit at your computer or a hacker to gain access to your device to access sensitive information.

So, what do you and your employees need to do? Implementing the following best practices will help plug these security gaps.

Do not write passwords down and leave them visible.

This is an easy security tip, but you need to make sure employees follow it. One tool that can help eliminate this problem is a password manager, which enforces the use of complex passwords, stores them securely, and automatically enters them when you log into applications. A reputable password manager can help employees avoid the temptation of writing down their passwords on sticky notes.

Use a password on all devices.

Many employees often use passwords on their desktop computers but it’s easy to forget to set up a password on laptops, tablets, and smartphones. Mobile devices are perhaps even easier from which to steal information. A thief or disgruntled employee can steal a smartphone in seconds and quickly gain unauthorized access to municipal email and applications. Protect all devices with passwords.

Do not use simple or obvious passwords.

Instead, use strong passwords such as long passphrases (like “The brown fox is 2fast!”) or complex passwords consisting of a mix of letters, numbers, and special characters. Strong passwords go a long way toward preventing hackers from getting into city applications. 

Do not save passwords to websites and applications.

You may do this so that you can easily stay logged into your favorite websites and applications. However, if someone gets access to your device, then they can gain access to unauthorized information without even needing to crack a password. While web browsers have gotten better with password security, some exploits have targeted these cached passwords within the browsers.

As stated above, we recommend using a password manager that stores and encrypts passwords much more securely than a web browser. Also, enforce a policy at your municipality that employees cannot save passwords on even their most frequently used applications.

Change passwords regularly.

Yes, this annoys employees but it helps with security. The longer a password is in use, the more likely that hackers will be able to crack it. The more you change passwords, the more difficult you make a hacker’s job. Many cyber criminals focus on user credentials as the key to their cyberattacks. Once inside your systems, they can then attack you in more ways.

This is why phishing attacks are so common—and successful. They work. People are gullible and often hand over usernames and passwords without realizing it—such as getting fooled by a fake login site. It doesn’t matter how complex of a password you’ve created if you end up handing it over to a criminal. By changing passwords regularly, there’s more of a chance that a stolen password’s value has a limited lifespan.

Do not use the same password for all systems you access.

We know—another annoyance! But think about it. Let’s say an employee uses the same password for five different software applications that give access to confidential information at your municipality. If a hacker or disgruntled employee gets one password, then they have access to all five applications. Mitigate the chance of a data breach by requiring different passwords for each application.

Use multi-factor authentication whenever possible.

Many applications now offer the option of setting up multi-factor authentication (MFA), the process of adding another layer of protection to your security in addition to a username and password. For example, MFA may require you to first enter your username and password as normal. Then, you will get a code to your phone and input that code into a field that appears after you log in. In other words, you’ve added another “factor” of authentication that makes it more difficult for hackers. Even if a hacker gets your username and password, they must still have your phone in order to break into your application.

Cybersecurity continues to evolve. In the future, passwords may go away and get replaced by different forms of authentication. Certain password-less methods have been around for a long time that center on something you own (such as a smartphone) or something you are (such as fingerprint or retinal scan). 

In the meantime, by following the best practices outlined above, you will make your municipality’s cybersecurity much stronger.