Stay Safe with Strong Passwords

Are you taking passwords seriously?

Nine out of ten office workers seem happy to give away their password in return for a cheap pen, according to a survey carried out at Waterloo Station last year. This should be enough to keep any boss awake at night. Why? Well, instead of clipboard-wielding surveyors, picture a disgruntled ex-employee or a competitor ringing up your staff and pretending to be from tech support and asking for their password. Then reflect on the fact that if a bad guy has a valid password, they can steal, change or delete the information it protects with little risk of detection.

Trust Your Staff?

Now try to get past the thought that nine out of ten office workers in London are morons and consider the dangers to your own business.

The basic problem is that nearly all businesses rely on passwords as the main way to check that users are who they say they are. But used carelessly, they are almost pointless.

The same survey found that the most common password was "password" (12%), the employee's own name (16%), their football team (11%) or their date of birth (8%). So even if they don't give away their password for a bag of crisps, you could guess nearly half of them in minutes.

The stupidity doesn't end there. One third of users write their passwords down. Sometimes on a post-it note attached to the screen. Two thirds use the same password for everything, including online banking, as well as company access. They only have to enter it into a bogus website to give the whole game away. Most of them (75%) know a colleague's password and two thirds are happy to give their own to a co-worker.

It's not just employees. It's the bosses too. My favourite story from the survey was of a company CEO who, at first, refused to disclose his password. The interviewer tried a different track: "how do you decide what password to use?" He replied that he tended to use his daughter's name. So the interviewer quickly asked "what's your daughter's name?" The answer: Tamsin. Bullseye. It's like shooting fish in a barrel.

Many companies spend a fortune on alarms, key cards and secure reception areas to stop people gaining physical access. Even getting cash out of a cash machine requires something you know (your pin number) and something you have (a card).

But businesses seem willing to trust their staff - and remember nine out of ten of them are morons - with the keys to the kingdom when it comes to passwords.

The Key to Better Passwords

•	Automate good behaviour. Use Windows Server to set up a strong password policy
•	Enforce the use of strong passwords
•	Educate users about passwords and social engineering
•	Update HR policies to make disclosing passwords a serious disciplinary offence, like giving away the key to the office
•	Consider using smart cards or fingerprint recognition
•	Make sure the rest of your security is tight. In particular, restrict users' access to files on a need-to-know basis
•	Take extra care with administrator level passwords
•	Change default passwords for things like backup clients, accounts programs, routers, wireless access points and so on