Weak staff passwords a threat to your business?

Many companies run systems that require the use of passwords by their staff or members - examples being offices running a computer network, websites that allow members to sign up for extras like Newsletters or online shopping, or Hosting companies with customers that need access to cPanel, mailboxes or FTP etc.

While the company involved may the the precaution of initially setting a strong password for each new user - many of these systems will then allow the user to change their password to something easier to remember - and this is where the danger lies...

Once a user resets their password for something simple, like their pet's name, or place of birth, their new password is now the weak link in your security chain.

Users that do not take the time to manage their own strong passwords are also highly likely to use the same password across multiple networks and websites - making it even more likely that their password will, sooner rather than later, be compromised. And once that happens, even the least talented hackers will have a field day with every system that user has access to - including your business.

So whether you run an office network with multiple users, a Hosting company with multiple clients or a website with multiple users,  members or customers, you need to enforce a security policy of banning simple passwords from your system completely.

There are several ways to do this depending on the system you need to protect...

For a hosting company using cPanel you can implement a minimum password complexity from within cPanel's settings. This then prevents any of your hosted clients from changing their password unless the new password they choose meets your system's minimum requirement,s and so make it much less likely your system will get hacked due to a cusomer having set a weak password. (Once this is applied it protects all cPanel options including cPanel Login passwords, FTP Passwords and Mailbox Passwords)

For small to medium home/office networks using Windows PC's and Laptops etc., you can enforce not only a minimum password length, but also minimum password complexity. You can do this as follows:

  1. Open Local Security Policy by clicking the Start button Picture of the Start button, typing secpol.msc into the search box, and then clicking secpol.‌ If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
  2. In the left pane, double-click Account Policies, and then click Password Policy.
  3. Double-click the item in the Policy list that you want to change, change the setting, and then click OK.

 For CMS websites such as Joomla there are several components and plugins available that will allow you to force password complexity across all users, both your editorial staff and your Newsletter subscribers or online store customers. One such plugin for Joomla is called "FPC" (Force Password Complexity) and wil stop your users changing their passwords to anything below the minimum level you have set in the plugin settings.

Do you have a security policy for your company? Does it include minimum password length and complexity?

Remember, any chain is only as strong as its weakest link - and if your system allows users to set weak passwords, then it is only a matter of time before your system is compromised.

Any such system, if it is compromised, can cause hours, days or even weeks of work for the administrator/s in cleaning out the system to remove Trojans, Keyloggers, Viruses and Malware that may have been placed in the system by a hacker.

In the worst case scenarios for office networks it may even require formatting all machines in the office network and re-installation of the OS and all programs on every machine before the network is fit for use again.

Compromises on a Hosting company system can infect all hosted clients and then the only answer would be to delete all accounts and try and rebuild the system from backups (you do take backups right?).

For a website that allows people to sign up for Newsletters, Forums or Online Shopping, once compromised the only asnwer is to delete the site and if you do not have un-compromised backups, to build it again from scratch.

All of the above are time-consuming and expensive - so if you don't already have a Security Policy that includes forcing a minimum password strength and complexity, now is the time to set it in motion.