Why Strong Passwords Aren’t Enough

We recently heard an anecdote from a security executive that illustrates the need for much stronger password policies at municipalities. We altered the details to protect our source. 

“An organization in South Carolina has 1,000 employees. During a security audit, 117 employees were found to be using the password ‘Gamecocks2019.’ Immediately, the security executive implemented a stronger password policy that caused employees to reset their passwords and eliminated the chance of such a common password from being used in the future.”

What’s interesting is that each employee selected a password individually, thinking it was unique. None of the 117 people knew about anyone else’s “unique” password.

Many employees know not to use “password” anymore, but other problems persist. Sports teams, TV shows, celebrities, pet names and children’s names don’t make strong passwords, since they are too common.

Here are three ways tips for a better password policy — from good to better to best.

Good: Password Strength
Enforcing the use of strong passwords avoids the issue of employees choosing common or easily hackable words and phrases. Strong passwords may be
Passphrases: A passphrase is a long phrase that is easy for you to remember — such as 
“Theredh0rseis2fast!” — but hard for hackers to guess. The longer a password, the more difficult it becomes to hack. You would still need to mix in a few numbers and symbols for good measure.
Complex passwords: While not as memorable as a passphrase, a complex password involving a string of letters, numbers and symbols can also still work as a harder-to-guess password.
Strong passwords are a good tactic, but hackers can still crack them with enough effort.

Better: Password Managers
Password managers are services that generate strong passwords, remember all your passwords and encrypt them. Once implemented, the managers tend to work smoothly in the background and make your life easier.

Some benefits include
  • Automated generation of strong passwords: A password manager can automatically generate strong complex passwords for you and encrypt them.
  • Shoring up employee password weaknesses: With a password manager, employees cannot use weak passwords or reuse the same password across multiple accounts.
  • Easier password policy adoption: With password managers, implementing a password policy becomes easier for employees, resulting in a policy that’s actually used and enforced.
Best: Two-Factor Authentication 
Despite what you may hear about its inconvenience, two-factor authentication, also known as “2FA,” dramatically increases your login security.
  • Ease of use: 2FA works when you get a code through text messaging or an easy-to-install app (such as Duo Mobile or Microsoft Authenticator) that gives you a randomly generated code every 30 seconds or a “push notification” where you just press OK to confirm your login.
  • Large reduction in the chance of getting hacked: In 2018, a Verizon Data Breach Investigations Report noted that 81% of company data breaches occur because of poor passwords. With 2FA, you add an extra step that makes it much, much more difficult for a hacker to succeed. While 2FA isn’t hacker-proof, it places an additional barrier — physical access to your smartphone — in front of the hacker to overcome.
  • No IT investments or infrastructure needed: 2FA is cheap. It’s often baked into existing applications and the implementation generally involves receiving a text or installing a free app on a smartphone.
We encourage you to explore these options and implement the strongest password policies possible. Weak passwords put your city or town at risk.

Joe Howland is the chief information security officer at VC3, the Municipal Association’s technology partner.