Bad Password Practices
Many businesses implement terrible password practices, either by deliberately accepting greater risk for the sake of convenience, or because those in charge of setting security policies are not properly trained or have neglected to do their job. Here are some common poor practices:
- All or most users have simple, formulaic passwords. For example, Abel, Baker, and Charlie all log in to the business network and their mailbox with passwords like Abel123, Baker123, and Charlie123—including the boss and HR manager, who have access to the company payroll system. With such a setup, the restrictive permissions configured on sensitive data are pointless, because anyone can log in with a manager's account and get to the data. But, the company enjoys never having to bother with users forgetting passwords, and users like being able to get into each other's files when they need to. This philosophy often extends to the phone system, where everyone's voicemail passcode is something like 1111 or 1234.
- Inadequately protecting passwords. This is manifested in many forms, the most glaring of which is the password written on a sticky note and attached to the side of a user's screen. When challenged on this, the user will often say, "Well, I don't need to hide this account from anyone here", especially since it's a business resource and everyone else in the office has access through their own account anyway. But, there are several problems with this. A user leaves the company, and his account is terminated, but he still knows another user's password and can get in, thanks to seeing that user's sticky note every day. So he copies your company's entire client list and takes it to your rival. Or, a deliveryman who happens to be an aspiring David Lightman sees the password, then goes home and logs in to your system (and not just to change his grades).
- Sharing passwords. Even if users all have unique and private passwords, we still often see this: A user wants to share resources on the network (such as his Exchange calendar, or data on a file server) with someone else, so he just gives his password to the other user. This seems innocent enough, but it gives rise to several problems. First, it creates a dangerous culture where users undervalue the importance of clearing access with appropriate authorities in your company, increasing the risk that a user will give a password to the wrong person. Or, even if the person is authorized to see the data he's intended to see, sharing passwords instead of having your IT department enable the access can lead to inappropriate access. For example, your accounts payable manager shares his e-mail password with your HR manager so she can copy a bunch of contacts from his mailbox, without considering that the HR manager can use that now to get into the company's bank account. When password sharing is not strictly forbidden, your company management will have no control over who has access to what.
As you can see, without diligent implementation of good policies and practices, a business may have passwords on all their accounts, but may as well have none. Businesses like these sometimes wonder why peculiar things happen that indicate former employees still have access to their network, but it should be obvious why.
- Education/awareness. If the above describes your company, change the culture. Train each user to consider the secrecy of any password he or she uses for any resource at the office to be his or her individual responsibility, and never to be exposed in any way, or shared with other users regardless of trust. Be frank; tell them your approach to account security has been inadequate, and you're now fixing it.
- Administrative enforcement. This is a broad topic beyond the scope of this article. But, a few words. Make sure your users sign an Acceptable Use Policy, which establishes formal discipline for users who fail to secure their network resources, or who share a password in violation of your policy. You can find one here that's suitable for most businesses to use without modification.
- Technical assistance. If your IT system manager is not fully on board with your implementation of better account security, then the confidentiality and integrity of your data will remain at risk. Consider the following:
- Password Management. Have your IT system manager assist with resetting passwords, and enabling enforcement of complexity and/or expiration of passwords.
- Permissions. Make sure your IT system manager understands exactly who should have access to what, and that he implements proper permission settings from top to bottom to prevent anyone from accessing anything they are not explicitly authorized to see.
- File Sharing. Have your IT system manager devise solutions for data sharing that will obviate the need for your users to share passwords. For example, your IT system manager should set up a system where users can request to enable access to a particular file folder, and the IT department can promptly validate the request through proper authority, then configure the permissions. Or, decide whether to allow users to invite others to view files without the IT department's involvement (which may be already enabled if you use file storage systems like Google Drive or Microsoft OneDrive for Business). If you choose to allow it, only enable it for users you trust to make the correct judgment in relation to sharing sensitive files, and who have the technical capability not to accidentally expose files to unintended parties when trying to share them. If you choose not to allow this for any users, ensure your IT department knows how to disable that function. Only with diligence and persistence can you maintain control over the permissions assigned to files stored in your company file storage system. Of course, in any case, if a user has access to a given file, that user can always copy and post it to another file sharing site. Managing this also involves a combination of administrative and technical controls, which are beyond the scope of this article.