Most people do not put a lot of consideration into the security of their passwords. People are often concerned with their ability to remember their password, rather than the security they create. Yet, many know the risks of weak passwords and the consequences of loss when passwords to various accounts are exposed. The Verizon 2017 Data Breach Report reveals that 81% of breaches are caused by weak or reused passwords. An equally important, but sometimes overlooked consideration to having secure passwords is developing a well thought out plan to recover passwords when the account owners are unavailable.

Are Yours Up to Par?

Have your employees received security awareness training courses about password security? A study by the University of Phoenix revealed that only 42% of Americans use different passwords across various applications. Only 35% regularly update their passwords. As a result of these findings, employees need to learn to follow a series of complex guidelines for formulating strong passwords and for maintaining their security.

Many employees are using weak passwords. Furthermore, some employees do not know how to form a secure password. TechGuard offers a vast selection of security awareness training course topics including Password Security.

Company Passwords After 9-11-01 Attack

The Chief Executive of Cantor Fitzgerald, Howard Lutnick understands just how important having a plan to protect passwords is. He lost 658 employees out of a total of 960 employees on September 11, 2001. Every employee who was in the office on that day did not make it out. After such a horrific tragedy, he had to make a very difficult decision: whether he would close the company or try to keep it open.

If he were to stay in business, he would have to determine how to access numerous accounts and applications. He had a severe password dilemma. Although company policy mandated employees to tell their work passwords to four colleagues, he was unprepared for an attack of this nature. The attacks on the Twin Towers also knocked out one of the company's main backup servers.

How the Passwords were Found

He started by using a Brute Force Attack to recover the passwords. To define, a Brute Force Attack is a method to gain access to a site, server, or anything password protected. To explain, the attack tries to crack passwords and usernames by entering various combinations over and over. He was concerned that this method alone might take longer than he could afford. When appropriate, cybersecurity companies like TechGuard can use various methods including a brute force attack during a penetration test. These methods expose a company's weaknesses. As a result, Techguardians assign a risk level rating to each weakness and recommend the best course of action for remediation.

Pressed for time, Howard called on Microsoft to dispatch more than 30 security experts. They knew that in order to successfully complete the complex task, they would need to take advantage of two facts. Many people use the same password across various accounts. Also, people use personal information while creating passwords. Next, they contacted the spouses, loved ones and colleagues of the lost employees and gathered detailed personal information about the owners of the missing passwords. They used a compiled list of questions about wedding anniversaries, colleges attended, pet's names, kids' birth dates, and more. Within two days, the firm was open again because they were able to retrieve the weak passwords.

Password Storage

In addition, the thought of lost passwords reminds me of situations throughout my career with previous employers.  For example, people unexpectedly fell ill, quit jobs without notice, or even passed away and those left behind were challenged to figure out how to access various accounts to tend to various tasks and operations. On my last days, I was asked to write down all my passwords on a piece of paper and leave it on my desk so that business could carry on. These instructions show poor planning and do not account for emergencies or unexpected leaves of absences.

What kind of password plans does your business have in place to protect against emergency situations? In addition, have you managed application permissions according to roles in your company? Consider researching various Password Manager applications to determine if they might fit your needs. Overall, employees should be mandated to have complex, secure passwords. Employers should have application permissions in place and a plan for storing passwords. These are some of the best practices for password security. For more information on password security, read our other blog about passwords.