Four Ways to Know Your Business' Passwords are Safe
Passwords are your business’s first line of defense (and sometimes only line of defense) against a data breach. With only a single stream of characters protecting your company’s sensitive data—or the sensitive data of your clients if you work for an IT provider—from the nefarious forces that want to exploit the data for their own purposes, keeping your passwords safe at all times should be an extreme priority. But for many businesses, it isn’t. Or, and I see this more frequently, businesses think their passwords are safe, but they really aren’t.
To help you determine if the passwords that protect your business’s data, systems, and applications are secure, consider the following four checkpoints. If all four are true, then you’re on the road to password security. If one or more aren’t true, or you’re not sure, your data or your customers’ data could be at risk, and now is the time to reconsider your password security practices and look into implementing a more robust password management system.
1. Are former employees out there with your passwords?
Not every businessperson thinks about this question, but often when they do, it becomes obvious. Whenever someone leaves your employ, they take with them all the passwords they knew to access your shared systems and applications, social media accounts, network devices, and so on. Perhaps you trust your former employees not to use their knowledge for personal gain. Perhaps you don’t. Either way, those former employees are not under your control anymore, and once they let slip one of your passwords, it can be very hard to put that genie back in the bottle. Every time an employee leaves your company, you need a quick way to see what passwords he or she had access to and if those passwords were revoked, as well as a system for detecting when a former employee tries to gain access after he or she has left.
2. Is your password management system built for that purpose?
I’ve seen many different cobbled-together solutions that pass for password management systems in the companies I work with: spreadsheets, Word documents, smartphone apps built for single users. The unifying factor is none of these so-called “systems” were built with the password security requirements of a business in mind. That is, they don’t account for multiple users with multiple authority levels. They also don’t automate many of the password management best practices required for maximum password safety. And, as you’ve probably learned from your years in business, any system that requires manual human interaction introduces the potential for human error.
3. Can team members access only the passwords they need to access?
There is no reason for a junior technician to have administrative access to your most valuable customer’s systems. I am a big promoter of role-based access to passwords. I believe your team members should only have access to the passwords they need to do their job. This prevents them from either deliberately or inadvertently making destructive changes without permission from those in authority. Without a system that provides role-based access to passwords, however, it’s hard to prevent lower-level employees from seeing passwords they don’t need to see.
4. Do you have a way to audit your password management system?
When I talk about auditing your password management system, I mean having a way to monitor whether or not everything is working the way it should. That means your password security policies are being followed, all passwords meet your complexity and compliance requirements, and, perhaps most importantly, that the passwords stored in your system match those that are actually being used. After all, the most secure password management system is useless if it’s not storing the correct passwords. You should not have to wait to discover a password safety problem until someone manually checks for one, either. Your password management system should have a way to alert you automatically when something isn’t right.