Our comic book favorites have long shown us how often alter egos come in handy. Let’s face it: Clark Kent wouldn’t have made it very far with Lois Lane without Superman. Password security is pretty much the same: In order to defend their passwords and accounts as well as the company network, your users need to protect their identities from being compromised by digital villains.
With the spike in major hacks in recent years, you’d think that everyone would be on board with improving their password security practices. Unfortunately that’s not the case. According to a recent survey, 90 percent of employee passwords are hackable within six hours and, on top of that, 65 percent of people use the same password everywhere they go. That last stat is particularly scary. You think you just shared your Netflix password with your roommate, but really you also shared your password for the multiple other accounts that have the same password. Oops.
Employees and companies have a lot to lose if passwords get cracked and identities are compromised. Entrepreneur reports that it can cost $200,000 for a small business to deal with a breach—even as much as $170 million for a business reeling from a large breach. Users could easily become victims of identity theft, or the business could find that sensitive company data—anything from intellectual property that would make competitors salivate to private customer information—has been stolen or dumped online, resulting in serious reputational damage or even a costly lawsuit.
How can businesses bolster their password security practices and prevent an unwanted breach? Here are a few key ways that you can help your users safeguard their accounts and keep your systems safe.
1. Enforce strong, unique passwords
Left to their own devices, users would use the simplest passwords possible. The worst and most common password for several years running is 12345. Superheros know the networks we rely on just aren’t trustworthy enough for us to get away with using weak passwords. If they use a single password for all their accounts, then a hacker could steal the keys to the kingdom—and all of your company data—by cracking user passwords on any of the sites they use.
It’s critical to change passwords on a regular basis as well. According to TeleSign, 47 percent of people use passwords that are at least five years old, and 21 percent use passwords that are at least 10 years old. A whopping 54 percent of users use just five or fewer passwords throughout their lifetime online. This lax approach to password security puts them and their employers at risk. Even if your users unwittingly fell prey to a hack that took place years ago, like the 2012 LinkedIn hack, it could come back to haunt your company if they’ve continued to use the same passwords. Make sure they keep rotating them.
2. Enable two-factor authentication
Sometimes two identities work better than one. Clark Kent, in his unassuming role as reporter for The Daily Planet, can keep his ear to the ground about threats to Metropolis while on the beat. Then, when the time comes, Superman can rocket into the air and save the city with another amazing act of heroism. You can give your users the power of a dual identity with two-factor authentication (2FA).
Whereas single-factor authentication requires just a username and password, 2FA requires that a user provide two out of three possible authentication factors—usually defined as something you know (a password or PIN), something you have (an access card or RSA token, for example), and something you are (a fingerprint or voice print)—before gaining access to a site or network resource. While 2FA adds a layer of complexity and, with it, a hassle factor, it’s becoming more common on business networks as well as in consumer technology. Even the White House wants you to turn it on.
3. Support password managers
Users have a legitimate gripe about how clunky and unmanageable passwords are as a network security measure. Even some tech security pros, like FIDO, would love to do away with passwords altogether. At the moment, though, they’re the method most businesses are working with. If you’re asking your users to come up with unique, complex passwords for each of the sites they use, it’s a good idea to give them a system to manage all those different passwords more easily. A password manager can store all the passwords your users need, requiring just one single master password to unlock the others and then auto fill them into the correct fields when needed. Icing on the cake: A password manager often includes a secure password-generator feature, which makes it easier for your users to create strong passwords. By removing the biggest headaches involved with network security, you’ll help your users play their role in guarding your systems against a potential attack.
4. Keep your users accountable
Password security doesn’t work on the honor system. To fully protect your environment, you’re going to have to enforce each of the measures outlined above and stay vigilant as new threats emerge. As with many IT challenges, this is best accomplished with a mix of technology and policy. Via network management tools, for example, you can force users to use only secure, complex passwords. You can also prevent them from re-using passwords they’ve had in the past. With a well designed and communicated information security policy and security awareness training sessions, you can ask users to help defend the network and teach them to be part of the solution.
By implementing smart password security measures, you can help your users protect their identities from being compromised and the havoc that could ensue. Just like a superhero shines best when his true identity is secret, your colleagues will be able to leap tall buildings in a single bound, achieving great successes for the company—thanks to the peace of mind that password protection offers.