Company passwords bestpractice?

So, in lieu of the massive increase in ransomware (in Denmark it went from 0.5 to 3.5 percentage of companies affected in a year), and being in a cutthroat competitive business where all the major players shuffle employees around between them, Ive decided to increase our IT security.

I am curious though, what bestpractice is these days? Right now, EVERYONE has the same password, basically everywhere. I’ve changed it every time an employee has left us, but its still silly beyond belief.

I’ve decided to give personalized passwords to everyone, but am curious as to whether its standard practice to let it be the same for all the various platforms per user, og give them a different one for each?

I see advantages to both, especially since we are a small company (15 employees now, 3 when I started) but just wanted to get the opinion of you guys here.

The platforms are server acces (3 have VPN access, the rest is just to the server directory), CRM system, e-mail with webmail, and of course the physical computer.

Anyways - any suggestions are most welcome!

Personal password for each user with a suitable though preferably not onerous password selection policy (always a tough balance), regular forced password rotation (schedule again is a balance thing). Same password per system is not ideal, but it is likely to happen and difficult to enforce between disparate systems anyway. Single Sign-on is ideal to take that pain away, but I am not well versed in the solutions beyond them using digital authentication methods to validate a user, rather than just passing a password to an app or service.

Most importanntly, two-factor authentication. There are lots of options these days, from physical keyfobs, to mobile apps, just about all of which will integrate into a wide variety of systems so should be relateively painless to implement. It’s a much, much better addition to your security regime than just implementing best practice password methodologies.

Passwords should be the “last line of defense”. So before you start looking into 30-day-45-day-90-days policy, complexity, re-use and whatnot, you need to do an inventory of what you are trying to protect, what the potential risks are, how a loss of this resource will affect the business, how feasible and costly (time, effort, money) and complex securing this asset is. I.e. What are the risks/threats - what can you live without, what will ruin your business, etc. Do you have a disaster recovery plan in place, with procedures printed out (assume your network is down), with “mint condition” hardware that can be put to use if the day-to-day computer systems are down for critical users.

Ransomware should come to you through one of several avenues - for example:

  • Through email with attachment or link to attachment on another site
  • Through phone by tricking the user to visit an off-site link
  • Through “free USB keys” the user just found somewhere, for example if it is a big company with lax security, someone who dresses up like a big name supplier - Say Dell, and carries with them a bowl of USB Keys that are weaponized, can probably just place the bowl it in the reception after sweet talking the people working there, and people who walk past it on their way to work will most assuredly take one USB key with them, then plug it into the computer when they get to their desk.
  • Through waterhole attacks (If you work in a special industry, like aerospace, oil, gas, etc, there will be “The go to site” for your industry that you always visit (like how many in the game industry probably visit GamaSutra). Where the web site is either hacked or has a weaponized AD waiting for the correct “target profile”)
  • Through BYOD such as Mobile Phones connected to the users laptops for charging/file copying/media either because of actual files or “BADUSB” style attacks
  • General web surfing

What you want to do is minimizing the threat/risk surface (think disabling addons or at least “site-limiting them”, other browser settings, ad blockers, faking browser-agent strings, etc).

If there is an internal network, do all the users need write access everywhere? Are the users local administrators on their computers? Are the applications they run “isolated”, do you run EMET on each computer? Is there an outbound “proxy/web filtering solution” for all network traffic? Is the company using a registered public IP-block under the company name?

When it comes to passwords one thing that I’ve noticed is that if you force periodic password change on users, for example 12 times a year, and you require 1 Uppercase, and numbers in your password policy, do not be surprised if the passwords next year will be:
January2017, February2017, etc… or something similar.

But before you do anything; Ensure you have a off-site RESTORE option. Notice I use RESTORE and not BACKUP. As everyone can take a backup, but they’re worth very little if you cant restore it in a timely manner with guaranteed integrity.
(If you’re doing VM’s look into using VEEAM for example - they should support HyperV and have supported VMWARe for a long time - think the basic version of their product is free*.).

Always work under the assumption that:

  • You will be attacked
  • The attack will be successful
  • We will have downtime

That means your objective will be:

  • Detecting when you are attacked
  • Preventing the attack from propagating, or stopping it
  • Getting back up - and secure

Depending on what business you are in, detection should be possible (basic organized crime, script kids) or will be very difficult/near impossible (state sponsored - discounting GCHQ/NSA who are tapping your network elsewhere already).

So: Very little there about passwords. Good luck :)

  • 2-factor authentication should be a “must have” when it comes to remote access.
  • If you let users who are out of office connect through, for example a open hotel WIFI - consider having their computers always on VPN when offsite (I see you mention this)
  • Admin passwords should have a stricter security policy than normal user passwords with auditing
  • Consider using password vaults and teach the users on how to use this – the vault file itself shouldn’t be stored on their computers but a “ISOLATED” USB stick. That way they can remember fewer passwords and yet use more of them.
  • Accounts names shouldn’t be obvious “ADMIN-EXCHANGE” for example
  • Admin Credentials shouldn’t be cached “in memory”/process (Pass-the-hash style attacks)

I guess these days there are two approaches to password complexity:
A lot of suggestions is to make it a phrase (The famous XKCD BatteryHorseStaple thing…) whereas others want it to be 2££@$/&AHfsdFPI^/AOPJKDF^aSG;Y%I_ for example, and good luck typing that when all you see is *********.

Most people when pressed will probably use “Passw0rd” or “P455w0RD123” or similar versions, and they match 3 password requirements already: Upper/Lowercase + Number.

  • Passwords that are used on public sites must all be different, or be in different categories with different password requirements depending on the risk connected to the site.

Seeing as you’ve only got 15 users, and depending on their computer skills, it is probably easier for you to handle their passwords than allowing them to set their own - unless you frequently email the users about “safe computer habits” so they slowly learn it themselves.

Have fun :)

That is excellent advice guys - I really appreciate this very much! Even though I did take a masters of computer science (in 2½ year) 20 years ago, I have never worked in the field, and that never encompassed much security. Im still the most knowledgeable guy about it, but that isn’t saying much, other than I can tell when to call in others ;-)

Anyways - thanks - lots of great things to think over here and work to implement!

You actually want users to have the same password for the different systems. Single Sign On (SSO) ups the likelihood that users will use more robust passwords since there’s only one to remember and reduces the likelihood that they’ll just write it on post it notes or whatnot. Users also don’t have to know what’s on what system, they just access it with their password and move on. Access control separated from authentication. As has been mentioned above, two factor authentication is a huge step up in security. I strongly recommend it if it’s a possibility for you.

I recommend against out passwords. Require users to set their own. You do not ever want to be in the position of knowing anyone else’s password. Which leads to the next point, don’t have a file anywhere with the passwords in it. Ever. Instead make sure there’s a robust password reset mechanism.

What are “out passwords?”

Probably related to him setting the passwords for the users and giving them out.

Thats what Im doing currently - Why is that a bad thing? In case someone is sick for instance, I always check their email to look for business / cancelled meetings and so on, so I kinda have to know the passwords.

Knowing their passwords adds another potential point of access for attackers and is generally a bad security practice. If you’re on Exchange you can set up delegate access which will allow you to check their mail and calendars.

I’m not a security guy, but just speaking as an end user: this is not a tough issue for employees to deal with. My laptop is always on a VPN, and when I log in online I get an automated phone call asking for a PIN. It’s a little slow to get going, but not to the point that I hate life.

Oops. yeah. “giving out.”

one edit too far. ;)

That’s what proxy access is for. Neither you nor anyone else should ever log in using another user’s credentials.

Consider this contrived scenario. One of your user’s is doing something very bad. The police get involved and subpoena the email records. The user in question says, “I’m not the only one with access to that account. It wasn’t me.” That’ll be a bundle of fun for you and everyone else.

“best” and “practice” are separate words. Anyone who says otherwise is CLEARLY WRONG. >:[

Haha sorry - second language, and the fact that Danish allows you string together pretty much all words sometimes leads me down that particular trap ;-)

Anyways - I appreciate all the excellent advice here. Some of it is not practical for us…yet, but may become so over time, so its excellent to understand these things.

Oh. I didn’t realize it was a Danish thing. That just seemed like one of those obnoxious words some overly cheerful corporate trainer would come up with and then shove down everyone’s throats at a company somewhere. UGH. :P