Our clients always tell us “Every account and system is protected by strong passwords policy” , which usually has the following elements :
- Between 8 and 128 characters long.
- Use at least 3 of the following types of characters: (a) uppercase letters, (b) lowercase letters, (c) numbers, and/or (d) special characters
Is it secure enough?
A common train of thought is that passwords are encrypted, therefore complex ones should be difficult to crack and thus are relatively secure. However, this is often not the case, as it can be seen from a case that we worked on.
We are working with a company that has been using SAP on procurement approvals, which required three staff to approve any invoice over a certain amount. However, the company had restructured, one of the three was sacked and they did not have enough manpower to fulfill the three-person approval requirement. To change the SAP process, they needed to hire an external consultant, but instead the department decided to create a dummy approver and share the password of the third approver. This, in turn, allowed them to circumvent the SAP access control using guerilla tactics, which left the company vulnerable.
Passwords have two main functions: deterring strangers through authentication, and identifying a user’s actions through tracking. Thus, if a password is compromised, so is the identity of the user associated with the password, and any action performed is now associated with the individual.
Companies generally now enforce strong password policies due to the increase of cyber attacks, but this often only shifts risk instead of mitigating it. Oftentimes, users are still using unsafe passwords such as “Password01” or their date of birth. A recent Australian government security assessment found that “26% of its officials had weak, common passwords – with more than 5,000 of 234,000 including the word “password”.