Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hi everyone welcome back to Cash in the Cyber Sheets. I'm your host, James Bowers, Chief Security and Compliance Architect here with Input Output, very happy to have you back with us today as we dive back into the Dirty 13, the top 13 issues we find when performing audits on CPA firms. And to be quite honest, it's really against any firm that we perform audits on.
These are very, very common issues. And today we're going to dive into the issues we find around password management, poor password management practices. So we'll dive into really what we're seeing in audits, which is happening over and over and over, and also go through a quick six steps that you can tighten up your passwords, make them stronger, and also just a really good to define within any of the policies that you have.
So before we jump in, please click that subscribe, click that like, and let's help get some more people on the show. So with that said, let's jump into first the main issues that we're finding when we perform our audits. Now, honestly, we find it.
We see all kinds of different things in our audits. The most common that we see, though, around password or password management and maybe the biggest, I feel like that's anecdotal. I haven't actually measured it, but I feel like the biggest issue we find is password sharing.
And this is where people are, I really should say credential sharing, but this is about passwords. So we're talking about passwords. But this is really where people are utilizing the same accounts or they share the password so that other people can jump in.
And this creates a major issue because, one, it completely destroys any integrity that you have on the accounts. If something goes sideways, you can't pin that to anybody, that you don't have any repudiation capability. And it completely breaks down that non-repudiation to where you can say, this person signed in at this time and this is what they did.
If the passwords are being shared, well, that could have been somebody else that did it. So that's a major issue in and of itself. Completely destroys integrity, which can be a major compliance issue if you're ever really getting audited by like a government regulator or some such.
Another major issue with it is, I mean, I think the obvious here is you're sharing the passwords, multiple people have it. It's a bigger footprint for it to get compromised, a bigger footprint for more people to have it on a Post-it note, just makes the account considerably less secure. What it also does, and this is where we typically find an issue, is with these shared accounts, they're shared with a particular associate or a vendor or somebody, but that person no longer works for the organization.
We remembered to close out all the accounts for that terminated employee that they had, all of the relationships that they had, but these kind of shadow IT issues, these shared passwords, we completely forgot about those. I forgot that Susie had access to those passwords. And now we could potentially have a very serious, a very serious unauthorized access issue or, man, God forbid, this is an employee that isn't being terminated in the best way.
They're, they're leaving. They're just a very hostile employee. I don't know why that was so hard to get out.
But if they're very hostile and they've got access still, it could cause a lot of havoc. So password sharing, don't do it. Give everybody their own account.
Enough said on that. The next one we find a lot is password reuse. And there's kind of two, I think two main categories here.
One, there's password reuse where you just keep reusing the same password every time it asks you to reset it. You just use the same one. Maybe you tweak it just a little bit.
You add a different number. This time it was password one, two, three. Next time it's password one, two, three, four.
Whatever. That's, that's a pretty common password reuse issue. What's more common, however, is using the same password on multiple systems.
So it's time for me to change my password. I don't want to forget it. I'm going to do a nice complex password, but I'm going to change it across all of my accounts.
And now if somebody gets my password, they can easily get into other accounts. And this is typically where a lot of data breaches happen. Data breach will happen on company A, where they get access to all those passwords, figure them out.
And then with the users, they just start trying other, other institutions, other accounts. They know that you work at Contoso and they got access to passwords and they have your email. They're just going to try that password on Contoso's site.
And if you're using the same passwords, it's going to make it very easy to get in. So reusing passwords, again, major issue. And we normally find this when auditing, looking at the hash files of different systems and checking those passwords.
We see that a lot of times they're the same. So please use a unique password every time. It's hard to do if you're trying to remember them.
Definitely use something like a password management tool. The final one here is a weak structure. And this, this takes a whole myriad of different issues, but one of them definitely relates to kind of the password reuse.
We, we have the password we like, say password, and we just add a single number or we just change that single number or symbol. And that makes them very, very easy to guess. Or we use something like an address or a birthday or a name or some structure thereof.
And that makes the passwords very easy to guess. With AI, what we're finding is that even longer passwords that used to take a long time to theoretically crack, what AI is doing is it's looking at all of the different possibilities and it's saying, you know what, I'm going to, I'm going to try maybe this particular naming convention. I'm going to try their date of birth, or I'm going to try some sort of structure that's probably more likely before I try any of the others with my brute force attempts.
And upwards of 80%, the AI is able to crack the passwords considerably faster. Then just a regular brute force attack, just because of this weak password structure. Now, I think with that said, I don't want to get into at least not on this episode, but I don't want to get into a big discussion about complexities really bad because it makes it more difficult to remember the passwords.
Yes, that's true. It's a, it's a seesaw and I think what's best is going through the different steps to secure the password and then adding in that caveat of the password manager. So let's get into the six different, six different ways that you can really make sure that your passwords are strong.
And these are things that really you should have identified in your password policy and your information security policies. So the first one here is length. I'm, I'm not going to make the joke of bigger is better, but with passwords, it is.
We want to have at a minimum eight characters, which really you should have at least 12 characters or more in your password. There's some systems that just for whatever reason still don't support it, but you want to have at least 12 characters. If you can, however, you want to support 64 characters or more.
And what that will let you do is actually create passphrases. It's much easier to remember a whole sentence than it is some random password. And it's actually much more difficult to crack, say a sentence that is 45 characters long than it is a complex password that's 10 characters long.
So make your passwords as long as possible and support them being super long. The next one is complexity. And this goes down to using uppercase, lowercase numbers, special characters.
I would give a caution here that a lot of sites don't allow certain special characters. Those sites also don't always let you know that they're not allowed. It will accept the password.
We find this, interestingly enough, on a lot of banking websites. And then when you try to log in, it won't work because that character is not supported. There's also the concern here that the more complex that you make the password, the more difficult it is to remember.
And that will lead to people writing it down on a post-it or relying on that weak password structure where they just change one number or change one symbol. What's better here is a longer password with a little bit of complexity. Maybe a uppercase letter, maybe a number or symbol here or there, but longer password, just a few complex add-ons, as I say.
But if you make it this hodgepodge of random characters, people are never going to remember it. They're not going to be able to type it in. And it's going to lead to a lot of frustration and lead to less secure practices.
People are going to find ways around it, which is really why you need the password manager to get into it. The next one is prevent reuse on the accounts. This is actually a lot of systems now support this to where you just say you can't use your past five passwords or past ten passwords.
If you can, you also want to create it to where the users can only reset their password once a day. And what this does is it prevents users from just cycling through ten passwords real quick so that they can get back to their standard password or their very weak password. That seems like it wouldn't be an issue.
We actually find that quite a bit. The next one is password expiration and new NIST guidelines state that you shouldn't expire your passwords, that unless there's an indication of compromise, it actually makes them less secure. And this I would tend to agree with, especially now where we've got MFA requirements, other requirements, all the checks and balances, those are great.
But now if I'm having to go through all of those steps every time I have to change my password, it's going to be incredibly frustrating. It's going to prevent work from getting done. And you also have to consider that it's not just one account that that's the case for.
People have multiple accounts, multiple passwords. So if every week, every couple of days I'm having to reset my password and jump through all these hoops, it gets tiring very quickly. People will find a way around it.
With that said, if you have a long password, I shouldn't said with that said yet, I haven't made the other point. If you have a very long password, I would typically slide to the side of don't expire the passwords unless there's some sort of indication of compromise. Also make sure you have MFA enabled, which incidentally is number six.
But if you've got a strong password structure in place, you don't necessarily need to expire them. Here comes the with that said, with that said, a lot of insurance companies and vendors, suppliers, they still look. For password expirations, they want to see that in policy, they want to see that in practice.
And this this becomes a point of pick your pain. Do you want to have it on the side of your users being impacted and possible security issues, or do you want to have it on the side of having to struggle in arguments against insurance companies, vendors, and suppliers? That's an internal choice, just something to be aware of. The next one is locking down failed attempts.
Most systems do this by default now. You just want to make sure that after so many failed attempts, at least within a particular time frame, that it locks the account out. And finally, make sure that you have multi-factor authentication on each account.
If you can avoid SMS just because you can clone a phone, also avoid using email. If your email gets compromised, that kind of opens everything up. I would also say here with the MFA, if you're using a password manager, make sure you're not storing the backup codes or those accounts in the password manager.
That way, if, God forbid, this is horrible, but your password manager gets compromised, you'll still be able to keep people out of those accounts because they won't have the multi-factor. If everything's all there in one spot, all of your backup codes, that's full keys to the kingdom. So tying that all together, it can be very difficult to manage passwords effectively.
That's why I definitely recommend using a password management tool. We like Keeper Security because it is zero knowledge, meaning that if Keeper gets a data breach, they don't have access to our information. We hold all the encryption keys.
There's LastPass, there's Bitwarden, there's a lot of other password management tools. Find the one that fits your organization best. Find the one that you're able to use easily.
I think that's the biggest thing because if it's difficult to use, you're not going to use it. But that way, you can even use long, complex passwords and it doesn't matter because it's all stored in that password manager that can throw it right in for you. Also, as much as you can, use passphrases rather than passwords.
They're just long sentences. They're much easier to remember and much more secure. So I think that wraps up our discussion of poor password management.
Please take a look at the website. We should have links in the description here for a nice little tool that goes over those six steps and also some companion articles that really just dive a lot deeper into it. So thank you very much for listening to us today on Cash in the Cyber Sheets and until next time.
Thanks for joining us today. Don't forget, click that subscribe button, leave us a review, and share it with your network. Remember, security and compliance aren't just about avoiding risk. They're about unlocking your business's full potential. So stay secure, stay compliant, and we'll catch you next week on Cash in the Cyber Sheets. Goodbye for now.
