Skip to main content
BusinessExpert OpinionIT

The Monster under the Bed Is Password Management – Is Your Business Vulnerable?

By Friday 6 November 2015April 22nd, 2021No Comments
The Monster Under The Bed

I really wanted to write about file management systems, how to choose your cloud file system and how to do basic good file management.

However, that first means addressing the monster under the bed. The monster is a creation of our own minds, our fears and insecurities – and concern that we might not be quite as safe as we think we are.

I have bad news. It is extremely unlikely that you are as safe as you should be. The inner child should perhaps be allowed to sleep with its lights on and check the wardrobe.

As a result of our data and digitally-driven lives, we leave footprints on the internet that can compromise online safety. Many people tend to approach cloud storage of data with trepidation as a result. You shouldn’t – the worst security risks lie with you. The monster is passwords management.

The areas where we are vulnerable are portable computers, mobile phones, employee management, password management and the passwords themselves. Please be aware that I am not an internet security expert, just someone who has been progressively learning about security in business over a while.

The most fearsome lesson I ever learned is how insecure a mobile computer is. An IT mate hacked my PC’s password protection in less than one minute a few years ago, giving him full access to all unencrypted files on that machine.

The most infamous hack was on Sony last year, where overall security was low and passwords stored in files labelled ‘password’. The whole system was hacked (disgruntled employees may have been involved) then the passwords accessed exposing everything they had, including full files of unreleased movies and staff social security numbers.

In 2013, Target USA was hacked, netting 40 million credit card accounts including personal details. In the same year Adobe was hacked, netting somewhere from 38 to 150 million customer passwords. Staff passwords identified in this hack included password, Password, photoshop and 1234. A malware attack on many sites including Facebook, Twitter, Google and LinkedIn affected two million accounts.

Your biggest risks are unauthorised access to devices, stolen devices and poor password management, with passwords exposing us in the real world as well the internet, so these are priority one. The 20 most widely-used passwords in the world are 123456, password, 12345678, qwerty, abc123, 123456789, 111111, 1234567, iloveyou, adobe123, 123123, admin, 1234567890, letmein, photoshop, 1234, monkey, shadow, sunshine, 12345 – you get the idea. This list comes from SplashData who analyse files containing millions of stolen passwords posted online.

If you utilise the same password over and over, one incident of theft from one of your providers or partners can compromise your whole digital life, so you should use unique passwords for every site, tool and app that you use.

All employees/contractors should have unique passwords to all systems, and password sharing should be explicitly banned or limited to the greatest extent possible. It is important to revoke access to all computer systems for former contractors/staff, which means retaining a register of their systems access.

I dislike systems that require changing passwords every three months or so. It is a significant hassle for staff who therefore undertake minimum compliance. Having strong password management is preferable.

The Monster Under The Bed

A serious attempt to breach might consist of a sophisticated brute-force password attack. These will utilise a real dictionary, thousands of common word and number combinations/substitutions like 12345, password1, or passw0rd and password lists published on the web, then combinations of terms. Brute Force attacks are limited by computing power and three words with number combinations require time and/or lots of computing power, providing good protection.

For example ThreeMoonFlowers34 uses number and word combinations in a random way and capitalisation to make it harder. More is better. It is, however, easy enough to remember to be able to type in manually if you have to. $Fh7wo0*hy83Ghpp is also good, but try to remember it for a few seconds or type it across to another device.

It is easy to accumulate more than 100 unique passwords, which become unwieldy to manage manually in any acceptably secure way, so I implemented a password manager. My password manager now stores all of my passwords with 256-bit encryption, each with a unique and complex password.

Passwords share across my devices and when I log onto a new site, tool or app it automatically sets the password up (mostly). As a result, my passwords are very much more secure, cannot be cross-hacked and are much more conveniently managed. It took about three hours to complete the transition.

Storing passwords in an email file or folder is risky as they are easily found. Emailing passwords is also not advisable and if you get an emailed password, you should change it immediately.

There are also some passwords you may never want to write down. If I had (I don’t) a few hundred stolen devices and manually type in a couple of hundred common passwords to each of them, I would have a pretty good chance of getting into one or two of the protected ones. However, only half of them would be password-protected in the first place.

To protect files on your computer and other devices there are several solutions, although protection of device-stored files is not always a trivial exercise. Use a password and have all devices (computers, laptops, tablets and phones) logout after a very short period (five minutes maximum). While this won’t stop a password hack like I described above, it will protect your files from casual theft. This is a minimum step, and a shorter timeframe provides more protection.

Maintain effective physical security. This is a specific issue with computers, tablets and phones stored in cars in the evening. Hide them from site if you cannot take them into events and keep your offices properly secure.

The final layer on a computer is password-protected files. I am not a PC user, but BitLocker is installed on all professional, enterprise and ultimate editions of windows and will give you encrypted password security for your system or particular drives and folders. Windows 8.1 encrypts system drives by default. Using FileVault on a Mac will encrypt the full contents of your disc. On a Mac you can also mount encrypted disc image folders.

If you are using a cloud supplier, you should have one that offers encryption, for mobile devices you should switch password protection on and you should have the option for two-factor encryption as well. On mobile devices make sure the apps are password protected. I will go into more detail on cloud storage another time.

For Mac, iPhone and iPad users, find my iPhone/iPad/Mac has remote wipe, set as lost and tracking capability on devices. This is very easy to set up.

Choose how secure you want to be, but please don’t let fear of security stop you from using cloud solutions as your worst incidents of poor security are probably caused by you, and are often in the physical world.

Leave a Reply