WOOF! Newsletter

November 19, 2014

How to Manage Your Passwords (and Why You Need To)

When was the last time you changed your passwords at work? If you aren't sure when, you need to read this month's WOOF. Using multiple passwords, and changing them frequently, is one of the most important - and least used - IT security practices.
How many passwords do you have?

We see users at many client sites who only use one password for all their accounts. Most of the time, they don’t remember the last time they changed their password.

In terms of data security, this is one of the most dangerous practices in modern business.

Here’s one – just ONE – reason why.

Dropbox: Calm Down, We Weren't Hacked – PCMag.com

Hundreds of Dropbox users' passwords leaked online. Even if Dropbox itself wasn’t hacked, that only means "this time." Hacking attempts still continue. (We recommend Dropbox users switch to a more secure service, like our Private Cloud Fileshare).

There’s one thing we do agree with in the article: Dropbox security team member Anton Mityagin said:

"Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services."

Don’t Use One Password for All Your Accounts

In the office, systems administrators are responsible for IT security. It’s their job to protect the data you use every day.

But you can make that job easier, and protect your own information at the same time. Just by using a variety of different passwords on your accounts.

"But I only need one password, don’t I? I only have a couple places where I need to enter a password."

We hear this objection all the time. It’s not out of ignorance; it’s because of familiarity. Most places where you’d use a password will save that password for you, so you don’t have to keep entering it. This makes it easy for us to forget how many times a password actually shows up in our workday.

Here’s a list of common passwords in a work environment:
  • Logon/network password
  • CMS/Website password
  • Email password
  • Vendor website password
  • Phone/tablet password
  • Banking password for corporate accounts
  • File server password
  • Network administration password
  • Wi-Fi password
  • VPN/Remote Login password
  • Password used to access certain software apps (e.g. timesheet tracking)
Quite a few more than you'd expect, isn't it?

Now how bad would it be, if you used the same password for all of these accounts.

Hacking from One Account to the Next

Imagine you’re a hacker. Hunting for data out on the Internet. Say you manage to acquire one user’s password through some nefarious scheme, and you break into that person’s work computer.

Plenty of data to copy. And your computer’s connected to the rest of the office. You/the hacker tries the same password on other things – accessing your business email, for instance. Uh oh, the password works there too. Hmmm, what about the Wi-Fi?

This one hacker now has access to everything your company does. Now imagine thousands of these hackers, trying to steal passwords by the millions…

This is why services like Dropbox are attacked so often. Get a hold of someone’s password, and you likely have access to all of their accounts. All of their information.

Fortunately, the way to stop this is simple: Use separate passwords, and change them regularly.
  1. Use a separate password each for: Banking, Email, Network Access, etc. You’re probably safe re-using a few passwords between all of these points. But you can’t skip the second half of this.
  2. Change passwords regularly. Every 4-6 months at least. And not just changing a number at the end—change the entire password. Set an Outlook calendar reminder to do this!

How to Remember All Your Passwords

Unless you have a fantastic memory, using multiple passwords over & over means you’ll need to store them somewhere. Securely, too – you don’t want to store passwords in a place hackers can get at them.

Here are two solutions for storing passwords securely (called “password management apps”):
These password management apps encrypt your passwords within their own databases. Locking them away so no one else can see them. Both of these are top-rated for privacy—and you can try them out for free.

Password Management = Critical for IT Security (And Something Everyone Can Do)

If you’re a systems administrator, schedule a mandatory password change for all employees twice a year. More if desired.

If you’re not an admin, download one of the password management apps above and start storing passwords. It’s easy to change passwords when the time comes—almost every system out there guides you through the steps.

Get in the habit of changing passwords regularly, and you’ll never have to worry about "the next hacking."