If you were to poll the general population, you may find most people believe their passwords get hacked from a virus or malware running on their machine. They’ll want to switch to a Mac or Chromebook because those are deemed ‘safer’ with regard to viruses. However, these days you are more likely to have your login credentials stolen from a hacked online database or a phishing attack. Although we do have control over our detection and response to phishing attempts, we have very little control if an engineer at Facebook left an online database of user accounts and passwords unencrypted in a public website. Therefore, it is imperative that we implement password policies and dual factor authentication across our organization wherever possible.
Your password policy should require all employees to use difficult passwords (at least 10-12 characters, numbers, special characters and capital letters) that are unique to each login. For example, your Microsoft work password should be unique and not the same as your Salesforce password. The reason for this is if your login credentials ever get leaked out on the web, the damage will be mitigated if at worst the hacker has access to one account, vs dozens. Since organizations cannot guarantee that the password created by the user has not been utilized in personal accounts (like Facebook, Pinterest, Chase, etc), a password expiration policy is advised. This at least lowers the chances a work password will be the same as a personal one, even though that is against company policy.
The password policy should specify that passwords can never be shared with anyone, or written down except in a designated password management app like Lastpass or 1Password. We should mention that the master password to get into your password manager should be very long and complex (at least 20 characters, alphanumeric with special characters and capital and lower-case letters), and should be changed once a year.
A password strategy which has gained popularity in recent years is pass-phrases. This could be something like applebottlerockettruck5%. A password like this is easy to remember (if you aren’t using a password manager – which you should!), very long, and difficult to crack. There is a healthy debate among security researchers as to whether a pass-phrase is more secure than a random password, however, a long password is generally more secure than a shorter one.
Dual Factor Authentication
Dual factor authentication is a way to verify that the person logging into an application is actually the person who owns the account. Most people have had to deal with getting a text message or email message with a code to put in when attempting to log in. However, let us explain why that may not be good enough any longer.
Jack Dorsey Twitter Hack
Jack Dorsey, the CEO of Twitter, was famously hacked in 2019 not from having his password leaked, but by having his SIM card swapped to the hacker’s cell phone. This can happen either with an insider at AT&T/Verizon/T-Mobile who changes the SIM card for your cell service to somebody else intentionally, or the hacker convinces the agent on the phone that they are you. Once the hacker has control over your SMS messages, they can receive any texts containing dual factor authentication codes. After obtaining the codes, they can do whatever they want with your account.
Because of this, it is strongly advised authentication apps like Google Authenticator, Microsoft Authenticator, Authy etc, be used instead of text messages. Even if a hacker was to swap your SIM card for theirs, they will not be able to receive your authentication codes unless they have your actual cell phone. This method is so secure that if you were to lose your cell phone with the authenticator app on it, you will most likely be locked out of your accounts. As a result, we recommend either setting up a backup phone with the identical codes running on it (preferably this phone is not connected to the internet), or printing out and storing the backup codes to your account in a fireproof safe.
Unicom vigorously recommends organizations require dual factor authentication (using an authenticator app) in all applications in the business. That way, even if an employee’s password was to be leaked, the hacker could not access the account without having the employee’s physical cell phone in their possession. This is the last line of defense in cybersecurity and a very effective one if utilized properly.
Would you like assistance with your organization’s cybersecurity policies? Please reach out, we would love to help.