Poor password policies are killing companies: 10 ways to fix it

A recent survey shows that when it comes to password policies and revoking credentials, many companies are getting a failing grade – and some of the worst offenders out there are in the IT department.

Lieberman Software polled security pros attending the 2014 RSA Conference to learn a little more about credentials and passwords. The results? Pretty alarming.

According to the survey, 13% of IT pros in attendance said they were able to access a former employer’s systems using their old usernames and passwords. And of those who could access the info:

  • 23% said they could access the systems of their previous two employers, and
  • 16% were able to log on with any of their previous companies’ systems.

Any user who can access information from a former employer poses a major risk. But the fact that these were administrative credentials shows just how flawed privilege management can be for businesses.

Why it matters

Insider threats are obviously a serious problem. And when employees leave a company, it’s not always on the best terms. That provides motive and opportunity to try to make off with sensitive data on the way out the door.

But this also points to a larger problem: Password policies as a whole are a major threat to security.

According to a recent Trustwave report, poor passwords were the initial intrusion vector for 31% of compromises last year. Weak or default passwords were especially problematic.

And the problem extends beyond passwords, too. Analysis of a recent data breach found that the username “admin” appeared 17,801 times, by far the most of any credentials.

Companies are also dropping the ball when it comes to keeping security fresh. According to Lieberman Software, nearly a quarter of respondents said they change their passwords less frequently than the recommended 90-day timeframe.

Credential best practices

Companies need to take access and privileges more seriously. That much is obvious.

Here are things you can do to help keep your systems safe and properly verify users:

  1. Use multi-factor authentication. If users need to enter a code in addition to their own password, that provides an added layer of security.
  2. Decrease lock-out attempts. A good rule to follow is to have a maximum of 10 incorrect password guesses before a user is locked out of an account. Any more than that, and you’re susceptible to brute-force password hack attempts.
  3. Revoke credentials immediately. IT should be informed of when users leave the company as a matter of policy. That way, they can quickly and thoroughly revoke any credentials that user might have – whether they’re simply moving on to a new job or have been let go.
  4. Discourage sharing. No two users should share an account name and password. Not only is this a major security breach, it could run afoul of provisioning policies.
  5. Keep away from the dictionary. Some users think using obscure or random words will deter password guesses. This is true – but there are programs that can enter combinations of words found in the dictionary and even the bible to guess passwords up to 55-characters long. So your best bet is to …
  6. Include a variety of characters. Upper- and lower-case letters, symbols and numbers will make for a stronger password.
  7. Force re-sets. If you’re relying on users to change their passwords on their own, you’re going to be disappointed with the results. Have regularly scheduled password resets that will require users to update their security settings.
  8. Monitor for unusual activity. Is someone logging on late at night? From strange locations? These could be indications it’s not the user, but someone trying to crack a password.
  9. Include outsiders. In-house users probably aren’t the only ones who can access your systems. Remember about part-time workers and contractors who may have been granted access to company systems, too. These accounts should be subject to the same security measures.
  10. Don’t forget about IT. The users with the most access to sensitive information are often the ones in your own department. Make sure they’re subject to all the same rules and strict password policies.

For help improving your company’s password policy, be sure to read our password policy template.