We're pleased to present the first in a series of practical security posts for our policyholders. Despite an explosion of cybersecurity buzzwords ranging from anomaly detection to next generation anti-virus, our claims data and experience reveal that simple security measures are often the most effective. This week we turn our focus to password security.
Most computer systems rely on passwords, and all the cybersecurity
in the world won't help you if someone knows or guesses your password.
Advice for all businesses
As an employee or business owner, you likely use passwords for everything from
email to payroll to CRM systems. In many cases, a hacker can ruin your
business just by guessing your password to one of these systems and cutting
themselves a healthy check or mocking up a fraudulent invoice. Accordingly, it is imperative
that you protect the passwords that protect your business.
Fortunately, good password practices are pretty simple:
- Don't re-use passwords. Many people use the same password for dozens of
services, from their local newspaper subscription to their bank account.
Hackers know this, and actively go after easy targets,
just to get passwords they can use for higher-value targets.
Chances are good that some of your passwords are already floating around the
seedy parts of the internet; if in doubt, you can check your email against
a large collection of breached records through a service called
HaveIBeenPwned ("pwned" is hacker slang for
being successfully attacked).
- Use strong passwords. It is extremely easy for a hacker to write a program
that tries to guess your password 1,000 or even 1,000,000 times per second.
That means a hacker can easily try every word in the dictionary, every city, state,
person or team name, and every possible birthday or anniversary.
You may have been told to use a mix of capital and lower-case letters,
numbers and symbols. In practice, most people will change "o"s to "0"s or add a
"1" or an "!" to the end of their password. This will not save you; hackers
will guess that too. Instead, you should use a randomly generated password
or a passphrase, a string of random words like "correcthorsebatterystaple",
which would take a hacker roughly 1,000,000,000,000,000,000 tries to guess. Not to mention, passwords like this are a whole lot easier to remember!
Following these rules might sound like a pain, but it can be even easier than
remembering your current passwords, thanks to password managers.
Password managers are programs that keep track of your different accounts and
passwords for you, usually protected by a single, strong password, and only
accessible from your computer or your other devices.
There are several different kinds of password managers:
- Some web browsers, such as Chrome, Firefox and Safari, have built-in password
managers which you can sync between devices by signing into your Google, Firefox
or iCloud accounts, respectively
(although Firefox will not sync with Android phones).
- Microsoft Edge and some operating systems let you save passwords on your
computer, although they do not sync between devices.
- Online services like LastPass, 1Password, and Dashlane allow you to manage all your
passwords across devices with a single account, and often offer additional
features like encrypted note-taking.
Advice for businesses that manage user accounts (and passwords)
If your users create accounts with you, this opens you up to potentially
significant security issues and liability if you do not take precautions against
There are a few principles you should adhere to in order to mitigate the risk of handling and storing passwords:
- Never store passwords. One of the bedrocks of modern cybersecurity is
password hashing, the use of clever algorithms which create "hashes" from
passwords that can be stored and used to verify a user's password, but can't
themselves be used to discern the password. A hash is sort of like a
fingerprint; if you store someone's fingerprint you can verify their identity
by asking for it again, but unless they can manufacture a fake thumb, someone
with a copy of their fingerprint can't impersonate them. Hashing passwords
means that, even if an attacker gets access to your database of usernames and
passwords, they can't just log in as those users.
Most modern web frameworks, such as Django or Ruby on Rails, will handle this for you,
but it is important to check that your framework supports hashing and that
you've enabled it (if applicable).
- Require strong passwords. A weak password renders all other protections
useless. You should give your users the same advice we've given you when
choosing a password. Better yet, you should not allow them to set a weak
password. Don't require numbers or special characters; do check
their password against lists of common passwords or dictionary words and
make sure it's not a simple variant on one. There are several software
libraries which will check how strong a password is for you; at Coalition
we use DropBox's zxcvbn.
Additionally, don't require users to change passwords periodically,
since this encourages weak passwords.
- Limit log-in attempts. Even with strong password requirements, some
guessable passwords will probably fall through the cracks. You can make
guessing passwords much less successful by limiting log-in attempts.
There are two ways to do this: either limit the number of attempts that
can be made per minute/hour/day, or after some number of incorrect attempts,
lock the account and tell the user to contact support. The second method
offers more protection, but also means that a hacker or prankster can
lock anyone out of their account, so the first method is usually preferred.
Taking these basic precautions, or requiring them of your users, requires little effort, but provides enormous returns.
Finally, don't forget that Coalition policyholders can also make use of our Compromised Credentials app to receive alerts when an employee's data and/or password has been compromised in a third-party data breach. Just one more way that Coalition works with its clients to not only insure risk, but proactively mitigate it.