The need for consistent password review and management is more important than ever.
Those of us of a certain age may remember a television game show called “Password.” The goal of the game was to guess the password using a one-word clue given by a contestant. A collection of passwords would then lead the contestant to guess the puzzle affiliated with the passwords to win the game.
In a way this game is still played today — although the clues are limitless, and the attempts are never-ending. The hacker’s goal is to infiltrate your network and discover what “puzzles” are available.
Let’s start at the beginning — when did the use of passwords begin? By many accounts, the use of a password began at the Massachusetts Institute of Technology with their internal Compatible Time-Sharing System (CTSS) project. Fernando Corbato, the person who shepherded the project in the early 1960s, needed a way to allow multiple users to save private files on multiple terminals. Thus, a password for each individual user was created for streamlining of access. Ironically, the first hacking of passwords may have also occurred on the CTSS project in 1962, when an authorized user located and printed out his co-workers’ passwords, which he then used for more network computing time — time that was originally assigned to his co-workers.
Over the years, passwords weren’t just used on computer mainframes and networks. In the 1970s many telephone networks were hacked using social engineering and an unrelenting curiosity to determine how the network functioned and what data was stored. Many long distance calls were made at no cost to the hacker. Long distance calls used to be the primary revenue source for phone companies, so the loss was real. In fact, well-known hacker Kevin Mitnick literally wrote the book on how he hacked numerous networking and phone systems in the 1970s and ’80s. The methods Mitnick used then unfortunately still work today.
Today, the effective use of a proper password is even more important than in the 1960s, ’70s or ’80s. Data is the world’s greatest resource, and hackers will use any method necessary to gain access to it. The most common and effective route remains phishing campaigns. These are emails sent to your targeted employees that look extremely similar to everyday emails they already receive, yet they are embedded with attractive links to click or attachments to open. Performing either action may provide a direct path for the hacker into your network.
Another source of passwords is not as evident, or even current. There are sources on the dark web that find and post thousands of your old passwords. The hackers then use those old passwords within other applications in your name. While using the same password across multiple applications, both work and private, is easy and convenient, it makes the hackers’ job easy and convenient as well.
So what is the big deal if you are hacked? You quickly change your password, ensure you didn’t lose any data and you are all set, right? Wrong. In fact, a violation of the Commonwealth of Massachusetts law may have occurred. As Michael Hammond, our company principal, previously stated at a Connecticut Automobile Retailers Association seminar, “Unencrypted personal information of Massachusetts’ residents (either customers or employees) leaving your network is a violation of Massachusetts law per 201 CMR 17.” Not only is publication of your data breach a public relations nightmare; you may now also have to answer criminal complaints. Other states have enacted similar laws, so please check your state and local statutes.
The best protection against these threats is a good offense and plan. First, whenever possible utilize two-factor authentication (another layer of security with additional login credentials required). With more and more employees having the ability to work from home, this process provides another layer of protection for your network. Second, have unique passwords required for each business application, and ensure the employees do not use the same passwords used for their home or social media accounts. Longer passwords are encouraged, but even better are passwords that are abbreviations of a full sentence. Third, provide phishing campaign training to your staff. Ensure they know what to look for and what to avoid. When in doubt, do not click on any links or attachments and ask your IT staff to review the email first. The threats to your business and network are constant, but training and preventative instruction and maintenance can go a long way to reducing those threats.