Password Polices - You'd be better off trashing them!

MongoHQ is the latest company to suffer a security breach due to its own poor password practices.

Jason McCay, MongoHQ’s CEO, reported “On October 28, 2013, we detected unauthorized access to an internal support application using a password that was shared with a compromised personal account.” The consequences of the breach were huge, giving hackers access to customer account information, including databases, email address and bcrypt-hashed user credentials. Furthermore, it had the knock-on effect of causing some of MongoHQ's customers significant financial and repetitional damage.

Pointless Password Policies

This breach is another example of how passwords policies rolled out by organizations are not only ineffective, but ultimately pointless when there's no governance in place to measure compliance with the policies. Forcing minimum requirements for passwords does not work, primarily because the aims of the employee are often at odds with the aims of the business. Organizations want security, while employees strive after convenience. The prospect of remembering multiple complex passwords is a burden many employees don’t want or need. Even employees with the best of intentions often leave the company exposed by unknowingly using weak passwords that meet the minimum requirements of the password policy. Meeting the minimum requirements of password policies can often give a false sense of security that accounts are well protected, when in fact the passwords can be cracked in minutes. Meeting minimum requirements of password policies is no guarantee of strong passwords and with no mechanism to measure effectiveness of the policies, both businesses and employees alike can be blissfully unaware that they have security vulnerabilities.

Typical Password Policies

Passwords Policies rolled out by companies tend to put in place a minimum standard for passwords. Typically this requires passwords to be a minimum of 8 characters, and use a capital and number. It’s policies such as this though that have resulted in Password1 being one of the most popular passwords in existence, used by millions every day across the globe. Password 1 meets the minimum requirements for the MS Windows Login, which has become a de facto standard, even although it's totally inadequate in today's world. Businesses often unknowingly compound the problem by requiring passwords changes every few months. Forcing employees to change passwords frequently can actually reduce security, as employees start to use weaker passwords that are easier to remember, often simply incrementing a digit to existing passwords to fulfil the policy requirement. It's simply convenient for employees to create something that's easy to remember so they can get on with their job. The MongoHQ example is typical of what goes in on every organization, where employees seek out convenience while finding a way to meet the minimum requirements of any corporate password policy.

Buffer Hacked

The MongoHQ employee using the same password for a personal and business account not only caused a breach of MongoHQ, but had the knock-on effect of compromising one of MongoHQ's biggest customers - Buffer.

Buffer is a social media app that allows people to queue posts to their social media accounts. The MongoHQ breach gave hackers access to Buffer's database (managed by MongoHQ) and resulted in hackers spamming content to Buffer users’ social media accounts.

Even with a password policy in place, it was ultimately useless to MongoHQ without the company having a means to measure employee compliance. Employees using the same passwords for business accounts that they used for their own personal accounts is a typical weak practice, and was the same cause of the Dropbox breach in 2012.

How my1login can help

my1login is a cloud-based, business password manager that works in conjunction with existing business passwords enabling end users to only require one secure login for all business services.

my1login's password reports provide management with a mechanism to measure employee compliance with password policies. Management can see at a glance where there may be security vulnerabilities due to employees are using weak passwords or weak passwords practices such as using the same password across multiple accounts – the problem which led to MongoHQ and Dropbox being hacked.

Find out how my1login can protect your business.

Further Reading

• Techcrunch article on MongoHQ being hacked
• MongoHQ announcement on security breach
• Buffer Announcement on suffering security breach