CharlesCharles Copland, Quality Assurance Analyst | Safe Systems

Reduce, reuse, recycle.  This positive mantra has made recycling a common practice for individuals and businesses across the country. And while this practice helps reduce the amount of physical waste in landfills, when the concept bleeds into other areas of daily life, unfortunately it can have disastrous consequences.  Specifically, it’s time to stop reducing, reusing or recycling passwords.

Between work-related system credentials, social-media sites, personal email, and every other website that requires a login, estimates place the average person has 20-plus website or service accounts.  Remembering all the passwords that secure your daily activities can become a tall order. Thus, people tend to gravitate to a limited set of passwords that are easy to remember.  It’s all too simple to reenlist that familiar password when creating an account for the hottest new website.  But it’s troubling when a financial institution employee is prompted to change their password and follows this same pattern.

As long as a password is complex and the systems or websites claim to be secure, then what’s the worry?  Even “brand name” websites can be surprisingly susceptible to data breaches.  These breaches can expose sensitive user information, which in turn may have been used elsewhere. Including at work.  This assertion is not a hypothetical scare tactic, but a reality of the digital age.

For examples you need look back only to July, when social blogging platform Tumblr admitted to exposing millions of user passwords through a very basic security flaw.  In April, the popular deal-finding website LivingSocial was the victim of a security breach that led to the leakage of customer usernames and passwords.  A little more than a year ago, social media giant LinkedIn was embarrassed by a hacker posting millions of hashed LinkedIn user passwords to a public website. The list of well-known companies that have been the victim of data breaches goes on and on – from Evernote and Dropbox to Twitter, Sony, and PayPal.

Following all of these incidents, the website or service prompted users to change passwords immediately, and often beefed up security controls.  Too late. The information was already exposed to the world.  The silver lining, if there is one, is exposed credential information alone is not an imminent threat if that data cannot be linked to other systems to which a user subscribes.  Since humans tend to overshare online, some of this information can be gleaned from simple internet searches.  A robust online presence through social media can be an avenue for social engineering as well.  Luckily, this sort of targeted information gathering is a lot of work, so attackers may avoid putting in the effort.  A much larger concern here is employees using a work email address as a username for personal accounts.  If the financial institution’s name can be determined from the email domain, then parties with malicious intent have a much easier time identifying a target.

People that don’t use social media and have never used a work email address to sign up for anything probably think they’re safe if their data is exposed through a third-party breach.  This isn’t entirely true.  Long lists of passwords collected from data breaches can be added to password dictionaries for use in dictionary attacks.  Dictionary attacks entail programming software to successively attempt authentication using a predefined list of potential passwords.  These attacks are typically less resource-intensive than similar brute-force attacks, and the more pointed nature of these attacks makes them more likely to succeed.

Financial institution IT personnel are responsible for vetting third-party vendors, including basic security of any customer information that may reside with that vendor.  It’s impossible, however, to perform such due diligence for all of the websites or services that employees might use in their personal lives.  It’s more vital for employees at a financial institution to use different passwords in the workplace than they do for services and sites they use at home.  Here are three options to help mitigate this risk:

  1. Employee training: This most basic step is also the most important. Caution users against the reuse of username and password combinations at work and at home.  Encouraging good password habits for employees is invaluable to network security.  For users worried about forgetting passwords, consider providing access to and training for a secure password management solution.  Password management solutions should provide a secure repository for your list of passwords that is itself password protected.  Another important safeguard is toprohibit users from using a work email address for any personal websites.  Not only does this help conceal exact user network credentials, it has the added benefit of keeping the email address off of spammers’ lists.
  1. Enforce secure passwords: For any system under your control, make sure strong password requirements are in place.  Passwords should be no shorter than eight characters (the longer the better) and should require a mix of different character types.  Forcing strong, complex passwords at work can act as a natural deterrent against using those same passwords at home.  Enforce a policy requiring passwords to be changed at regular intervals whenever possible.
  1. Embrace multi-factor authentication: If you could implement multi-factor authentication for all work-related systems, it would nearly eliminate the risk of password reuse entirely.  Pairing something that a user knows (password, PIN) with something they have (physical or “soft” token) or something they are (biometrics) makes a password just one variable in the access equation.  Unfortunately, only certain systems, applications and websites allow for the use of multi-factor authentication, and this added layer of security often involves additional costs.  Systems that allow for remote access to financial institution network resources should be considered first when investigating multi-factor authentication.

Write a Comment