This article is posted with permission from VC3's blog and shares non-technical, municipal-relevant insights about critical technology issues, focusing on how technology reduces costs, helps better serve citizens, and lessens cybersecurity risks. VC3 is solely responsible for the article’s content.
We recently heard an anecdote from a security executive that illustrates the need for much stronger password policies at cities. (We altered the details of the anecdote to protect our source. However, the gist of the anecdote will make his point clear.)
An organization in Georgia has 1,000 employees. During a security audit, 117 employees were found to be using the password “Bulldogs2019.” Immediately, the security executive implemented a stronger password policy that caused employees to reset their passwords and eliminated the chance of such a common password from being used in the future.
What’s interesting is that each employee selected their password individually, thinking it was unique! None of the 117 people knew about anyone else’s “unique” password.
In the past, we've often blogged about bad passwords (like "123456"). Encouragingly, city employees have realized that using such bad passwords is, yes, a bad idea. However, a false sense of security can creep in and make them think any other password is okay. That’s when people think of “unique” passwords like favorite sports teams, TV shows, celebrities, pet names, and children’s names.
But think about it. If you’re using words that are popular or common, then others will use them too. And hackers know this. In other words, we think we're using unique passwords—but they really aren't unique.
How do you stop this problem from occurring? Read on for three ways that you can enforce a better password policy—from good to better to best.
Good: Strong Passwords
Enforcing the use of strong passwords avoids the issue of employees choosing common or easily hackable words and phrases. Strong passwords may be:
- Passphrases: A passphrase is a long phrase easy for you to remember (such as “Theredh0rseis2fast!”) but hard for hackers to guess. The longer a password, the more difficult it becomes to hack. You would still need to mix in a few numbers and symbols for good measure.
- Complex Passwords: While not as memorable as a passphrase, a complex password involving a string of letters, numbers, and symbols can also still work as a less hackable password. However, you may more easily forget such a password or write it down on a piece of paper (which someone can find if they pass by your desk).
Strong passwords are a good tactic, but hackers can still crack them with enough effort.
Better: Password Manager
If you haven’t heard about password managers, they are services that automatically generate strong passwords, remember all your passwords, and encrypt them. In other words, a password manager helps you implement specific password best practices without you having to think about it. Your IT staff or vendor can help you implement a password manager across your organization. Once implemented, they tend to work smoothly in the background and make your life easier.
Some benefits include:
- Automated generation of strong passwords: A password manager can automatically generate strong complex passwords for you and encrypt them.
- Shoring up employee password weaknesses: With a password manager, employees cannot enact poor password best practices such as writing them on a piece of paper, using weak passwords (like “Bulldogs2019”), or reusing the same password across many different websites and applications.
- Ease and efficiency: Employees benefit from the ease of a password manager, which allows them to add, change, and delete passwords across all the websites and applications they use. Plus, employees can log in quickly and feel relief from not having to remember passwords anymore.
- Increased security: By making passwords less hackable, you increase your cybersecurity and lessen the risk of cyberattacks.
Best: Two-Factor Authentication (2FA)
Last year, we wrote a post titled “
Two-Factor Authentication: The Benefits Vastly Outweigh Any Inconvenience.” In it, we made the case for implementing 2FA at your city and mentioned, despite what you may hear about its inconvenience, that it is quick to log into and you don’t need to log in multiple times each day. Benefits include:
- Large reduction in the chance of getting hacked: In 2018, a Verizon Data Breach Investigations Report noted that 81 percent of company data breaches occur because of poor passwords. With 2FA, you add an extra step that makes it much, much more difficult for a hacker to succeed. While 2FA isn’t hacker-proof, it places an additional barrier—physical access to your smartphone—in front of the hacker to overcome.
- Ease of use: 2FA works when you get a code through text messaging or an easy-to-install app (such as Duo Mobile or Microsoft Authenticator) that gives you a randomly generated code every 30 seconds or a “push notification” where you just press OK to confirm your login.
- No IT investments or infrastructure needed: 2FA is cheap. It’s often baked into existing applications and the implementation generally involves receiving a text or installing a free app on a smartphone, which hardly takes any time at all.
Many strategies exist to avoid the issue of employees selecting, even unknowingly, weak passwords that can compromise your security. While no perfect option exists, we encourage you to explore the options discussed above and implement the strongest password policies possible. Doing nothing, though, puts your city at great risk.