Using passwords to secure access to on-line systems is fundamentally flawed. An alternative will be a long time coming. In the meantime small business owners need an answer to the question “How do I reduce the threat from passwords to my business?”.
A series of high-profile cyber-attacks has resulted in a great deal of on-line discussion and hand-wringing about how ineffective passwords are at keeping us secure. The attacks have seen the theft of usernames and passwords from companies like eBay, Target and Adobe on a massive scale (over 200 million accounts affected at these three sites alone). If you have ever registered on the websites of these firms you are now at risk from the potential compromise of all your other on-line accounts. This is because, like most of the population, you probably use the same usernames and passwords at all the sites you visit.
Knock on effects have also become more dramatic:
- The CEO of Target resigned over the issue
- Share prices of the companies involved have fallen
- Four US States are carrying out separate investigations into security at eBay
The fundamental problem is that maintaining secure password behaviour is not a task that humans are well suited to. A secure password is difficult to remember. It should be changed regularly. A different password should be used at every site you visit. That’s a job well suited to a computer but our brains don’t work that way. So we manage our passwords in a way that compromises the very security the password is supposed to bring – we make them simple, we write them down, we repeat the same password, we don’t change them.
The on-line community provides a great deal of advice on how to keep your passwords secure. Don’t get too excited, however, because there is no magic solution. My previous paragraph sums up the advice given in 90% of these articles.
There are also a growing number of articles bemoaning the risk from badly managed passwords and demanding a new solution. That’s true and we need to be working towards a change as fast as possible. There is, however, so much invested in the use of passwords that any changes will take a long time to implement.
In the meantime we have to find a better solution. This is particularly important for small businesses who are increasingly seen as a lucrative target by the hackers.
The short answer, in my opinion, is to deploy a password manager.
While there are a multitude of sites with reviews of password management products, they are mostly aimed at consumers. There are additional considerations when selecting a tool for business:
- Passwords for company accounts should not be stored in personal password managers
- The business needs to be able to grant and rescind access to passwords easily
- A list of all on-line accounts in use by the business needs to be maintained
- Different access rights need to be applied to different groups
- It should be possible to take a snapshot of the security of passwords across the organisation in order to identify and rectify weaknesses
- Login credentials should be able to be shared amongst appropriate groups of users
- Access to credentials needs to be available across desktop, laptop, tablet and mobile devices.
- The product you choose has to be easy to use so that it doesn’t interfere with the daily flow of work.
Ultimately, then, a properly implemented password manager will allow company passwords to be:
- difficult to remember without anyone needing to remember them
- different at every site different site and for every user account
- changed on a regular basis
Finally my prediction for the future:
- Companies providing an online presence will outsource the management of their customer accounts to accredited specialists that focus purely on keeping access secure
- The commercial imperative for firms to reassure their customers will lead to the adoption of standards and collaboration between companies that will further accelerate the adoption of more effective security practises.
- In the meantime, other technologies, such as two-factor authentication, will become increasingly important for accessing sensitive accounts.