The Business Woes of Password Management
By Brent Fairbanks
If you are using computers, you are dealing with passwords. We all have too many passwords to remember and nobody is exactly sure who is responsible for the thing we all love to hate.
Passwords are new technology, right?
Passwords enable us to restrict access to only those who are permitted and restriction of access is nothing new. It has been used for thousands of years, such as sentries in Roman times -requiring someone to have special knowledge to pass. One thing that we do know is that the minute we attempt to restrict access it invites abuse by both those with access and those without access.
Why do we still use passwords?
You would think that with all of today’s computing power we would be able to come up with a better method of restricting access than passwords. The problem is not one of technology but a problem of legality. The courts can legally issue an order that requires a person to produce anything physical to unlock what is protected. However, the courts cannot issue an order that requires a person to produce knowledge to unlock what is protected. That means they can force you to produce a fingerprint, iris scan or other “physical” means of lock. If you know something, it is not legal to force that out of you. Hence the ubiquitous password or knowledge-based lock is not likely to change anytime soon.
Passwords don't have problems, do they?
If we only had two or three passwords to remember, it would be much easier for people manage. This brings us one of the first problems in password usage: the re-use of the same password. We are all guilty of this habit. Eventually, one of the places where we used our “special secret and reused” password WILL get hacked. When they do, your information is published for the world to see and the clever hacker then tries your information on every other password requiring system that they can find. If you are re-using your passwords or never changing your password, your chance of compromise goes way up.
Another problem is the “documenting” of your password. Does anyone remember the movie “Ferris Bueller’s Day Off”? Ferris knew where the school employees wrote the computer passwords down. Ever walk into an office and you see a computer monitor with a bunch of sticky notes on it with every password they needed? With today’s technology, one could walk into an office, snap a picture of the monitor, and review the picture later with all of that private information.
What can be done about the problem?
The latest attempt at preventing access is by requiring Multi Factor Authentication (MFA). With this method, we require the person to know something, like a password, and to have something, like a cellphone to send a text to – or email account – to verify their log in attempt. With Multi Factor Authentication, even if you know the user name and password you still cannot get access.
The cautious employee
In an abundance of caution, key people in the business have passwords on files and devices (postage machine, copier, alarm code). This is done to make sure that nobody can accidentally look at, or worse, make changes to key files or use devices. So, what’s the problem with this? The person who has the password becomes unreasonable in their management of this information. They unfortunately believe that only they are trustworthy keepers of the password.
Having only one person who can get to company assets places the business at great risk when the holder of the information becomes unavailable for whatever reason. If you establish a policy of how to document this information, provide a tool to record the information, and then enforce a culture of “this is how we do it”, this problem can be eliminated.
What does a business owner need to do?
This is going to require an absolute commitment from the top, you, the owner/ director/CEO, or whatever your official title is as problems are not solved from the bottom up. You are going to have to start viewing this situation as an opportunity to get control of a problem your business has been facing for too long.
The government now requires a more responsible attitude with passwords. Beginning in 2017, any tax preparation software that is blessed by the IRS requires complex passwords that are rotated every 90 days. QuickBooks is following suit. Just imagine dealing with this many password changes and that’s if you only have one company file. If you are running multiple entities with their own data files, each individual one must now follow the password rule.
What about accounting firms with 10’s or 100’s of clients’ QuickBooks files that need to be kept up to date? Without password management, how are you ever going to deal with this ever-expanding problem? The same way you are right now with sticky notes all around the office? A spreadsheet called passwords?
If not our password management product, find a product that you like that enables you to share information securely with your support provider and other key employees, has an audit trail of what user has seen what information, a log of who has seen or done what (should there be employee turnover in your business), and has a password generator. THEN change any default passwords for hardware and software, and NEVER use the same password twice, remove any visible physical evidence of passwords, use the built-in password generator to improve the quality of your passwords. For passwords security, length of the password is more important than complexity.
Ensure your business is following what is considered “mandatory” by the government today. Get your business password management started today.
Be the First to Add a Comment!