Password Security: Reality or Joke?

Cyber security is a top concern in the IT industry today. In this series, we will look at various threats to cyber security – and what steps businesses can take to meet those threats head on. Here, we focus in on password security.

I love wandering in corporate cubicle-land. Rows and rows of desks, all empty of inhabitants, lie before me. The lights are dim, and the only sound is the muted hum of air from the ventilation ducts. I check out sticky-notes on computers, open drawers, and lift up keyboards to my heart’s content. Why? Because I’m a penetration tester or “ethical hacker” … I test companies’ security by trying to break into their systems. It’s surprisingly easy most of the time. After I get in the front door (described here), all I need to do is take advantage of password security lapses and I’m in.

Considering how many times I find passwords clearly printed on sticky-notes and placed conveniently near computers, I completely understand why nearly 51% of those surveyed in a recent study commissioned by Sungard Availability Services* noted that employees sharing passwords is a direct threat to their company’s security policy. The question is, why do people share their passwords? And what can we do about it to strengthen password security?

First, why do people share their passwords? Frequently, it is because someone needs a resource they don’t have permission to access. For instance, there might be an application that a manager uses for her job. She has an assistant who does not have access to that application. But one day, she asks the assistant to perform a task in the application. And, because it’s easier than going to IT and asking for the necessary permissions, she hands her password to the assistant on a sticky-note. The assistant uses the password to get into the application and perform the task.

Here’s the kicker: chances are, the assistant will keep that password – with the manager’s full knowledge and acquiescence. After all, why go to IT now? The assistant can get in, the tasks can get done, and everybody is happy.

I’m happy, too, because I will quickly find that sticky-note and then I have access to that application as well. (By the way, “hiding” sticky-notes under a keyboard or in a drawer or under the desk is a complete waste of time. Do you think I – and any real hacker – don’t know where to look?)

Now you can understand that protesting, “I would only share my password with a person I trust completely!” is irrelevant. Trustworthiness is not the issue. Password sharing is a security risk because the password gets written down, and what is written down can be seen by the wrong pair of eyes.

So what do we do about password sharing? Here are four tips that can really help frustrate penetration testers like me … and the malicious hackers we represent.

1. Set expectations from the top. Get upper management involved. People aren’t going to stop sharing passwords because a nameless person in IT bleats “Hey, don’t do that!” They’re going to stop sharing passwords when the CEO, CIO, CISO and the rest of the top guns say, “You will NOT share passwords – and if you do, you’re going to get more than a slap on the wrist.” Make it clear that there are no exceptions to this password security policy.
2. Make permissions a priority. For all you folk in IT, you want to streamline – and broadcast – the process for getting people access to the applications they need. If you make it a priority to process permission requests, people are more likely to go about things the right way, rather than jotting their passwords down and sharing them.
3. Move to single sign-on. Why have separate passwords for different applications at all? When companies make the move to single sign-on, where a single password provides access to multiple systems and applications, people tend to be less likely to share their password because it would give the other person an “in” to systems they don’t want them to access – such as email or personnel files.
4. Educate employees on the risks. Telling people “don’t” without telling them “because” is a waste of breath. Take the time to explain how password sharing places the company at risk: those scrawled-on sticky-notes are the keys to the kingdom for corporate hackers.

Password security is all about modifying employee behavior. The four tips above will help your employees make the shift to stronger password security. And as an added incentive, consider this: perhaps I’ll stop by some evening when you’re all away to see how you’re doing.

*The survey, commissioned by Sungard Availability Services, was conducted by SurveyMonkey Audience. The survey reached 276 IT professionals and was completed in December 2014.

Other Posts in This Series:

1. How Employees Accidentally Compromise Their Company’s Cyber Security
2. The #1 Cyber Security Threat To Information Systems Today
3. The #1 Information Security Policy That IT Managers Would Change