Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/9/2013
01:38 AM
50%
50%

Four Ways To Strengthen SMB Password Security

Ensuring that employees are abiding by good password policies is difficult, but there are simple ways to protect a business from workers who might choose 'password123'

Passwords are the weak link for companies of all sizes, but many small and midsize businesses (SMBs) rely on their workers to make the right choice in selecting strong passwords.

Unfortunately, when left to their own devices, most employees do not get it right: Either due to a lack of security education or a desire for efficiency, people make the wrong choices when it comes to passwords. While almost 90 percent of people think they select good passwords, 61 percent reuse their passwords across sites and more than half have five or fewer passwords, according to a September 2012 survey of consumers by CSID, an identity management and fraud-protection firm.

While establishing a password policy and educating workers are good first steps, they are not sufficient to convince users to select good passwords, says Joe Siegrist, CEO and co-founder of LastPass, an identity-management service provider.

"We think that policy is almost universally ignored, unless it is forced upon users," Siegrist says. "People hear a lot about the policy, but if they know it cannot be enforced, it might as well not exist for 95 percent of them."

SMBs frequently inherit their employees' selection of passwords, and while three-quarters of workers choose passwords for security, they also compromise to more efficiently gain access to their accounts.

"A business is only as strong as its weakest link, or weakest password connected to that business, whether belonging to a customer, partner or employee," CSID stated in the report.

Here are four lessons for businesses that want to feel more secure in their employees' use of passwords.

1. Gain visibility
SMBs generally have no idea the strength of the passwords that their employees are using on internal systems, whether they are reusing the passwords on external services or how many different passwords they have. The first step for businesses to gain visibility should be to adopt a central system for managing employees credentials, whether a password-management service in the cloud or full identity and access management (IAM) solution.

Without such a system, companies will be blind as to the degree of risk they have, LastPass's Siegrist says.

"The scary thing is that most people don't know any better, so if you don't have any tools or procedures in place, you just have no shot of getting to a safe place," he says.

[Ever watch an episode of 'Mad Men' and see everyone smoking? Some kid in 2045 will look at their parent and ask, did you really have to enter a password that many times? See Your Password Is The Crappiest Identity Your Kid Will Ever See.]

LastPass's service, for example, gives each employee's account a security score based on their currently stored passwords. While company administrators cannot access the passwords themselves, they can discover when a worker is not following policy.

2. Centralize password management
Even for companies that do not need a full IAM system, the centralized management of employees' passwords goes beyond just gaining insight into workers' password habits. Companies that have administrative control over their employees' accounts can add new workers and delete old ones who no longer work at the firm, heading off the risk from disgruntled employees.

"As companies grow, even to 50 or 100 users, tracking where they've added users have added accounts into different applications not only becomes a burdensome process, but can also become expensive," says Patrick Harding, chief technology officer of Ping Identity, a cloud identity provider.

Ping's product eliminates passwords for many cloud applications by using a single sign-on approach that replaces passwords with Security Assertion Markup Language (SAML) to securely access online accounts.

3. Pick a single entry point
In addition to centralizing the administration of the identity storage, companies can benefit from simplifying a user's need to enter in a credential to a single login event. By limiting the number of times a user has to enter in a password, companies can make their workers more efficient and focus on a single channel to secure, Harding says.

"If you only have to authenticate once a day, make that authentication stronger than a password, even a strong password," he says.

Using two-factor authentication for an e-mail account can double as the log-in credentials for the single sign-on system.

4. Change employee behavior
Finally, companies should use any improvements in their management of passwords to educate them about good passwords selection, LastPass's Siegrist says. When employees reuse a password, remind them of company policy against reuse. If workers have not updated old passwords, then remind them to do so, he says.

"You can set policies to perfectly customize how safe you want your employees to be, and know that they are doing it,"Siegrist says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MROBINSON000
50%
50%
MROBINSON000,
User Rank: Apprentice
4/12/2013 | 11:29:40 AM
re: Four Ways To Strengthen SMB Password Security
Robert, your article is very documented and offers a lot of informative and useful tips to strengthen password security. Indeed, passwords are the weak link for companies, so employees should be educated to select strong passwords. We recently published an article on this theme which I recommend reading further:
http://blog.securityinnovation...
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.