Over the years, we’ve implemented a number of increased security measures and this continues to evolve. In many cases these measures are mildly inconvenient and it’s tempting to assume they are unnecessary or even slightly paranoid. We’d like to take a little bit of time to discuss that. We don’t believe that it’s time to don the tinfoil hats, given the overwhelming number of security breaches attributed to poor password security.
Historically, IT people would install infrastructure with default passwords, with the intention of changing them after the fact. We take a certain amount of pride that with our company history, and the fact that we started in the Internet banking space, that this has never been our way. This left us ahead of a lot of our competition, but the world has moved on and there is a danger that we get a little complacent.
For example, we frequently point out to customers that have used BlackBerry, that we can log on to their Exchange Server as an admin and read all of their mail by logging on to OWA (Outlook Web App) as a BES (Blackberry Enterprise Server) admin with the default password.
Let’s take an example of a horrible ‘default password’ practice that some companies use – applying the same password for all their server installs, across all of their customers. This means that all of their clients, IT team, and anyone else who has ever worked closely with or for them has a logon to all of their customer’s networks. Add a remote access viewer, like TeamViewer into that mix and it gets very scary.
We recommend to everyone that they use Multi Factor Authentication (MFA), and that they never re-use passwords across different Web sites at home and at work. Passwords are a pain for users, so one of the best investments for company and personal security is a password manager such as 1Password or LastPass – taking the pain out of having a unique password for everything.