SMB员工通常在个人和工作使用以及在所有设备上使用相同的密码. 密码是IT部门存在的祸根,这不足为奇. 人们处理密码就像处理名片一样,而不是通往王国的钥匙. 黑客喜欢使用弱密码,因为他们可以保证拥有密码的人可以直接进入你的IT基础设施,在某些情况下, do whatever they want to do.

应用程序环境并没有让密码管理变得更容易. According to App Annie, the average person uses 30 apps a month on their smartphone; at least 9 of them daily. 中小企业已经制定了“自带设备”(BYOD)政策, so in many cases, 这些都是用来访问公司数据的智能手机或其他移动设备. And they all need passwords. 挑战在于相信你的员工会使用强密码来保护设备, apps, and programs they’re using.

Why Passwords are Important

IT部门轻视密码和密码策略的原因是它们工作量很大. 用户通常没有意识到,在黑客的世界里,密码是有价值的货币. When a hacker discovers a password, 他们可以接触到各种敏感的公司信息,包括:

  • Client or customer files and all the data they contain;
  • Employee records, files, and associated data;
  • Financial records and information;
  • Corporate planning, projections, and communications;
  • And (in some cases) network and IT infrastructure.

Despite the importance of passwords, 许多中小企业仍在努力开发和维护可靠的密码策略. Fortunately, times change. 今年8月,美国国家标准与技术研究院(NIST)发布了这份报告 new password recommendations (Special Publication 800-63B). They are recommendations然而,历史表明NIST的建议通常会成为标准的基础.

在这些建议中,NIST已经从过去的建议中后退了一步,过去的建议是,企业需要频繁更改密码,而密码应该是复杂的、包含大小写字母的乱码, numbers, and symbols. 根据NIST的说法,这些要求使得员工很难记住密码. Frustrated users write down their passwords 49 percent of the time. They store them in digital documents 24 percent of the time, 大多数人在需要输入新密码时,只修改一个数字. This increases the risk from weak passwords.

大多数美国人通过记忆或写下来的方式来记录他们的网络密码

New Password Requirements Don’t Mean Less Security

尽管NIST建议在创建密码时采用不那么严格的规则, 该组织还建议,企业应该建立认证过程,包括筛选常用密码列表,并通过屏蔽用户密码以更安全的方式存储用户密码.

It seems simple, 但这些变化等同于极大地减少了用户的挫败感,这意味着增加了安全性. 例如,用户非常沮丧,他们中90%的人都在创造 passwords that are crackable 在6小时内,65%的人在个人和企业访问时使用相同的密码. Some of the most common passwords 据Keeper Security称,这些密码占了近17%, a password management vendor. They include:

  • 123456
  • 123456789
  • qwerty
  • 1234567890
  • 1234567
  • password
  • 111111
  • google

对密码要求的建议修改旨在让用户更容易创建不易被发现的长密码.

New Password Best Practices

那么,如果旧的密码要求已经过时,那么新的最佳实践是什么呢? 这些更新后的密码要求有利于用户,并将保护的责任推给了组织. They include:

Create longer, simpler passwords

用户应该创建至少8个字符的密码, but the requirement to use uppercase, lowercase, numbers, and symbols is removed. Instead, passwords should be all lowercase, 用户容易记住但别人很难猜出的随机单词.

对用户来说,一个更好的策略是通过描绘一个场景,然后从该场景中随机选择四个值得记忆的单词来创建一个密码短语.  Users could also use a password generator 然后在脑海中创造一个图像来帮助他们记住这些单词.

Randomness is key

用户在创建密码时最常犯的错误之一是使用熟悉的单词, repetitive letters or numbers, or sequential characters. People also use their own name, the name of the application, company, or department they work with, or they use the names of their family members. These are often easy to guess. 相反,简化密码的关键是使用容易记忆的普通英语单词.

它也不再建议用户用数字替换普通单词中的字母. Again, 这使得密码很难记住,增加了它被写下来或存储在可访问的地方的可能性.

Still no shared passwords

In a study done by LastPass, 73 percent of respondents said sharing passwords was risky, yet 61 percent were still willing to share work passwords. It may be as simple as the wi-fi password, or the password to a shared application, but this behavior puts the SMBs at risk. Each user should have their own password, and in instances where it’s necessary to share passwords, 任务完成后,需要重置密码.

User should still have more than one password

Using the same password for every application, program, device, and network a user must access is still a bad idea. 唯一的密码仍然是必要的,以创建一层保护,以防一个密码被发现. 如果这是唯一使用的密码,那么拥有它的人可以访问一切. Users will still have to use multiple passwords, but if that’s a problem, 密码管理器是您可以部署的用于密码安全性的最佳工具之一.

Password policies are required and must be enforced

密码是中小企业面临风险的一个原因是缺乏密码策略. 根据Keeper Security和波耐蒙研究所的一份报告,59%的人 中小企业不知道员工的密码操作和卫生习惯. 即使是那些有密码政策的公司,65%的公司也没有执行这项政策.

SMBs must create and enforce password policies. Cyberattacks are on the rise, and once a criminal discovers a single password, your organization is at risk. Without the proper controls in place, 没有办法确定您的IT基础设施是否安全.

如果您没有安全程序,或者您不确定当前的安全策略是否有效, contact Advanced Network Solutions. 威尼斯官方游戏的IT专业团队可以评估您当前的能力,并帮助确保您免受任何可能出现的风险.