Secure padlock

Just because your organisation doesn’t have millions of users, it doesn’t mean you can afford to be lax about email security.

Every company email account holds information potentially useful to outside users and recent stories such as the AOL email password breach, the Yahoo! email password breach, and the vulnerability found in some versions of SSL, highlight the need for organisations to take seriously their own email password policies and implement strong, secure password procedures for users. No matter what size a company is, from SMEs up to major corporations.

Secure passwords

Passwords made up from a random collection of letters and numbers are considered the most secure. However these are also the most difficult to remember, with many employees choosing something simpler for convenience. A recently published list of the most common passwords found online showed the most popular were ‘123456’, closely followed by ‘password’, highlighting how people are much more likely to choose something memorable over something secure.

Sometimes, in an attempt to create a memorable, but secure, password, users take a personal piece of information (say their partner’s middle name) along with an important date. The problem with this approach is someone targeting your organisation (for example a competitor) can find out a user’s password with only a small amount of online research.

How many employees have Facebook profiles? How many of them list their relationship status, who their partner is, and key dates? Armed with nothing more than the target’s business email address and public Facebook profile, a hacker can work out their likely password with an unnerving degree of success.

Generic hackers, looking to target any email address, use clever social tools to achieve the same thing. Ever seen a website promising to reveal your ‘Game of Thrones name’, or similar? Some of these are set up deliberately to gather information on people and use it to guess their email passwords in a brute-force attack (so called, as the attack keeps trying different passwords till it finds the right one).

Finding a password approach which includes enough random elements to not be easily guessed, yet still be memorable to the user is tricky. My favourite solution to the conundrum is to take a favourite phrase, lyric, or movie quote, and take the initial letter of each word, along with a date.

So, if your favourite film is Dirty Dancing, then take each first letter of ‘Nobody puts baby in the corner’ along with the film’s release date, to give you: npbitc1987 (this particular example is probably a little short to be truly secure, however it illustrates the point).

Changing passwords

No matter how good the strategy for creating strong, secure, passwords is, the longer a password is used, the more chances others have of working it out, and the less secure it becomes.

Regular password changes are an essential part of email security, as long as users maintain a process of updating passwords which keeps security at the forefront. A common user trick is to set their email password to end with a number, and then increase that number by 1 every time it needs updating. So, ‘password1’ becomes ‘password2’, then ‘password3’, or, using our more secure password selection method, ‘Help Me Obi-Wan Kenobi’ becomes ‘HMOWK1977’, then ‘HMOWK1978’.

To avoid users falling into the trap of incremental numbers, requires the IT department to instigate a password checking policy which rejects those too similar to a previous password, and encourages users to keep using the same technique for creating the original password, but with different different sources (eg a quote from Dr No becomes a quote from Goldfinger).

Asking users to change passwords too often leads to resentment, and can make them fall into the trap of number increments. Restrict password changes to every few months, or when a potential security threat is recognised (for example an employee leaving under a cloud).

Conclusion

Maintaining password security is essential for all organisations to prevent both deliberate sabotage, or random hacker attacks. No company is too small to not have to worry about their email security.

Left to their own decisions, most email users will select less secure, but easy to remember, passwords. For this reason IT departments need to develop tactics to educate users with techniques of how to create strong passwords which are still memorable.

Picture credit: Moyan Brenn