The password, a little chain of characters that everyone use everyday, represents a very serious topic for cyber-security actors.
A good password governance for companies requires a clear policy, shared with every stakeholder and monitored through a regular and automatized process. More and more services used by companies and now available online, making these policies a pillar of digital governance.
Here are examples of common patterns among users and the risks associated:
- The usage of the same password for multiple personal and professional accounts:
Risk: If one of the services is comprised, the cyber-criminal would be able to access all the other accounts therefore putting the whole of the company at risk.
- The usage of personal information in the password (birthday, kid’s names etc…)
Risk: The techniques of social engineering that can easily give the cyber-criminal access to your password.
- The usage of common words in the password:
Risk: A piece of software that utilizes the “brute force” witch can easily and in an automatic manner find the password using a preconfigured table or list of words. (Example: Top 30 passwords used for Linkedin, an excellent source for hackers.)
- Keeping a copy of the password on your computer or in your emails:
Risk: If the computer or the email gets compromised, so does all the other services.
- Keeping the password on a post-it note next to the computer.
Risk: Among intrusion methods, a physical interception is possible. A hacker falsely poses as a repair man looking for a malfunction next to the computer.
- The usage of professional email for the setup of personal accounts.
Risk: In the case where the company is changed, the email is lost and the access to personal accounts becomes difficult.
- Choosing to save all the passwords in the web browser:
Risk: They are easily obtainable if the browsing session is kept open.
Here are some good practices when it comes to password governance:
1/ The password used with your email address is unique and should not be used elsewhere. In reality a lot of users have the reflex, when signing up to an e-commerce site, to use the same email and password witch should we avoided at all costs.
2/ Differentiate online services according to their criticality. The complexity of the password is not the same for an email service and an online information aggregate.
These are some suggestions to better secure a password:
- The password must contain at least one lowercase letter.
- The password must contain at least one uppercase letter.
- The password must contain at least one digit.
- The password must contain at least one special character ($ !?%).
- The password must contain at least 3 characters in different styles (lowercase, uppercase, digit, special character).
- The password must be at least 8 characters.
- The password must not contain the user name.
3/ Random password generator software can be used to make to create secure passwords
4/ In order secure passwords in a safe and encrypted place services exist, but again a unique password must be defined.
5/ If you are a DSI or a SSI, get in touch with HR or the internal comity in order to regularly inform employees on managing there passwords. And don’t be hesitant to initiate or push measures in respect with the company’s policy. The fate of the company depends on it…
6/ Other measures: configure « google alerts » for your professional e-mail, so that if it would be compromised and posted online you will be notified.
So, are you ready to clean up?