If it’s been a while since you’ve changed your passwords, especially on your social media accounts, don’t feel too bad. Security professionals aren’t following their own advice about password hygiene.
Thycotic, a provider of privileged account management, conducted a survey at RSA in February, and the results were a little surprising, when you consider the respondents. More than half said that it’s been more than a year since they’ve changed their social media passwords, while 20 percent said they’ve never changed the password for their accounts. Another 25 percent said they’ll change their passwords – only when the system requires them to do so.
Not only are security professionals lazy about changing their passwords, they are also lazy about how they come up with their passwords in the first place. It seems like common sense – and everything they preach to their fellow employees about good password practices – went right out the window, as Joseph Carson, chief security scientist at Thycotic, told me in an email comment:
We were surprised to learn that 30 percent of IT security professionals still use birthdays, addresses, pet names or children names for their work passwords, which are readily hackable. It’s hard to expect employees to follow their company’s security policies when some security practitioners don't set better examples.
The problem with poor password practices, Thycotic’s study pointed out, is that a single compromised social media account can lead a hacker to all sorts of valuable information about the user. There’s also the possibility of the hacker taking over your social media account and using it for social engineering purposes, turning your friends and contacts into victims.
My own thoughts on this survey mirrored a comment in Dark Reading, that security professionals aren’t practicing what they preach, but the article goes on to say there may be a reason for this:
Typically, security pros are aware of the potential dangers of single sign-on passwords and will have a separate password for each account they hold, both work-related and personal. . . . As a result, in some ways, it may not be so surprising that security professionals find it hard to maintain the same level of vigilance with their personal accounts as they perform with work-related accounts.
You know that if security professionals are struggling to keep up with passwords, so is everyone else in the company (who hasn’t complained about too many passwords, after all). So what are some possible solutions to this password mess? One is requiring the use of multi-authentication to access everything, at least wherever possible. Setting up password change reminders may help, too (I know I’m more likely to address passwords when I get a reminder about it). Blocking access of social media sites on company networks might not be popular, but it could add a level of security. Password vaults may help, too, but they have their own security problems that must be taken into consideration.
As a Forrester report found, 80 percent of all cyber security attacks involve a weak or stolen password. What are you doing to improve your password hygiene?
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba