Poor Password Hygiene

Joan works at a small, local manufacturing company; her company makes highly specialized chemical testing sensors used in various applications all over the world. Joan’s job is to process orders and make sure that the products are shipped out to the customers on time. She loves her job and would never do anything to jeopardize losing it.

Everyone who knows Joan knows she also loves cats! Recently, Joan joined an online forum for cat lovers. Just about every day, she is online posting videos, reviewing feline-related products, and bragging about her lovable fur babies. A couple of months after joining the forum Joan is at her desk at work and receives a call from a frustrated customer that has not received their shipment. Joan knows this customer well and remembers processing the order. To be sure, she checks her internal systems and everything looks fine. Joan decides to check the shipping company’s site. Upon logging in, she realizes something is very wrong. Many of the shipping addresses for her customers have been changed to a single address in third world countries. Joan immediately escalates to her manager who calls in the IT team and support from their shipping vendor. 

What Joan didn’t know was that the cat forum she joined was recently compromised by hackers and all the user profile information was captured. Joan claims to have a terrible memory for things like passwords, so for convenience, she sets all of her passwords to “CatLover123!”. The hackers were able to take Joan’s account information from the forum, cross-reference her  LinkedIn profile, and they found out where she worked and what her job was. They attempted to access the corporate systems but were unable to gain access because the IT department has  multiple factor authentication (MFA). The shipping company portal is not compatible with the corporate MFA solution, so knowing that Joan worked in shipping, the hackers were able to gain access to the shipping portal and redirect all the current shipments. 

How could this have been prevented? The answer is strong password management policies, training, and resources. The following standards provide a minimum baseline for what this should look like. Everyone should be aware of and trained on these standards and whenever possible they should be enforced programmatically. 

User Accounts:  

  1. Password Length: Minimum of twelve (12) characters  
  2. Password Reuse: Ten (10) (users cannot use any of the last ten (10) password he or she have used) and password must contain at least 4 new characters  
  3. Password Life:   
    1. Maximum: Ninety (90) days  
    2. Minimum: One (1) day  
    3. Password Complexity:   
      1. Passwords are not a derivative of the user ID  
      2. Passwords have at least one (1) lower alpha, one (1) upper alpha, one (1) number, and one (1) special character.  
      3. Passwords cannot contain two identical, consecutive characters  

Service Accounts:  

  1. Password Length: Minimum of twelve (12) characters  
  2. Password Reuse: Ten (10) (service accounts cannot use any of the last ten (10) password he or she have used) and password must contain at least 4 new characters  
  3. Password Life:   
    1. Maximum: Three hundred sixty-five (365) days  
    2. Minimum: One (1) day
  4. Password Complexity:  
    1. Passwords are not a derivative of the user ID  
    2. Passwords have at least one (1) lower alpha, one (1) upper alpha, one (1) number, and one (1) special character.  
    3. Passwords cannot contain two identical, consecutive characters  

Password Protection:  

  1. Do not use the same password for corporate accounts as for other non-corporate access (e.g., personal ISP account, online banking, benefits, etc.). Users must not use the same password for various corporate access needs and are required to have unique passwords for each account they access.   
  2. Do not share corporate passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as Restricted, Confidential corporate information.   
  3. Prohibited password practices:   
    1. Do not use default vendor passwords  
    2. Do not reveal a password over the phone to anyone for any reason   
    3. Do not reveal a password in an e-mail message   
    4. Do not reveal a password to a co-worker or supervisor   
    5. Do not talk about a password in front of others   
    6. Do not hint at the format of a password (e.g., "my family name")   
    7. Do not reveal a password on questionnaires or security forms   
    8. Do not share a password with family members   
    9. Do not write passwords down and store them anywhere in the user’s office  
    10. Do not store passwords in a file on any information asset without encryption  
    11. Do not use internet browsers to save passwords  
    12. Where technically feasible, browsers native password saving functionality will be disabled 

Additionally, IT should look to implement a corporate password management tool that allows users and system administrators to store, manage, and even share passwords in a secure location. These systems give people like Joan a place to keep various passwords, so they do not re-use the same ones and to help enforce password policies for sites that do not integrate with corporate authentication tools. 

CCI Systems Blue Team experts can help your company implement the systemic changes to ensure strong password policies are in place, help manage the rollout and training of your staff, and guide you through the process of selecting and implementing a password management tool.