Twenty percent of employees said they'd be willing to sell corporate login credentials to outsiders. Employees are sloppy when it comes to handling passwords, cheerfully sharing them with co-workers, using a single password across multiple applications, and even claiming to be willing to sell them to an outsider. That's according to a new report by identity management and access firm SailPoint, which warns that it isn't just cybercriminals and hackers from outside an organisation's perimeter whose actions could result in massive data leaks, but that insiders could cause harm as well, whether intentionally or not. Even if employees aren't sharing information outside of the company, they're still potentially putting data at risk, as almost one in three are willing to share passwords with their co-workers. Those willing to share their passwords might be giving away more than they realise, as two thirds of respondents revealed that they use the same password for multiple applications, making unauthorised access much easier.
Whether you're writing corporate policies for business workers or university policies for faculty and staff, crafting an effective IT policy can be a daunting and expensive task. You could spend hours writing a policies and procedures manual yourself, but consider how much your time is worth. According to job site Glassdoor, the average salary of an IT Director in the U.S. is over $140,000 (depending on geographic location, company, education, etc.). If it takes you one work day to write an IT policy, that single policy cost you $536 ($67 x 8 hours). Don't have time to write a business or university policy?
Password Guidance: Simplifying Your Approach contains advice for system owners responsible for determining password policy. It is not intended to protect high value individuals using public services. It advocates a dramatic simplification of the current approach at a system level, rather than asking users to recall unnecessarily complicated passwords.
Video: Microsoft pushes for biometric keys to replace passwords. Microsoft has released the public preview of a new Azure Active Directory tool that will help admins kill off bad passwords in the enterprise. The tool, called Azure AD Password Protection, offers a new way of protecting Azure AD and Windows Server Active Directory accounts from users with bad password habits. The tool contains a list of 500 of the most commonly used passwords and helps blocks a million more that contain character-based variations on these bad passwords. That means since'password' is already blocked, users won't be able to set their password to'P@ssword' or'P@$$w0rd'.
If you're drowning in website logins and constantly using Forgot My Password prompts to get into random accounts, a "Log In With Google" or "Log In With Facebook" button can look a lot like a lifeline. The services provide a quick way to continue whatever you're doing without having to set up a whole account and choose a new password to guard it. But while these "single sign-on" tools are convenient, and do offer some security benefits, they're not the panacea you might think. The SSO schemes offered by big tech companies have some obvious advantages. For example, they're developed and maintained by companies with the resources to bake in strong security features.