“DIY” measures to strengthen security for IT departments with no budget or manpower (password management)

Passwords are the first line of defense to protect a company’s information assets. However, many employees still use passwords that are easily guessed. This increases the likelihood that confidential company information and customer data will be at risk. In particular, with the spread of remote work, employees have more opportunities to access systems and services used for work from home or public networks, and more opportunities to carry company terminals, so password strength is more important than ever.

In this blog, we will provide practical tips to reduce the burden of daily work and improve security under the theme of “DIY = do it yourself without relying on tools or outsourcing.” This time, we will focus on the most basic yet important “password management.”

1. Ranking of dangerous passwords

What will be the most commonly used passwords in Japanese companies in 2024?
You can see the rankings in the “Top 200 Most Common Passwords” published by Lithuanian security company Nord Security.

As can be seen from the ranking above, many companies use simple, easily guessed passwords such as “123456789” and “password.” This could be seen as the flip side of the fact that many companies still leave password management entirely up to each employee. There are also many passwords that are “only visually complex” based on keyboard layouts, such as “1qaz2wsx” and “asdf1234,” revealing the reality that security is ensured by merely following formal rules.

2. Characteristics of risky passwords

Compromised passwords have a few things in common:

Simple numbers and strings

Simple numeric sequences, character strings, and short passwords are among the most dangerous. As shown in the rankings introduced earlier, passwords such as “123456” and “asdfghjk” are used by many companies and are easily guessed.
These passwords are highly vulnerable to brute force and dictionary attacks. Cybercriminals try such simple passwords in brute force attacks, so there is a high possibility that they will be broken quickly.

The National Center of Incident Readiness and Strategy for Cybersecurity (NISC) recommends that login passwords used to authenticate web services should be at least 10 digits long and made up of a total of 88 random characters, including 26 types of uppercase English letters, 26 types of lowercase English letters, 10 types of numbers, and 26 types of symbols, as a safe zone.

Passwords related to personal information

You should also avoid passwords related to personal information, such as birthdays, names, addresses, and phone numbers. For example, passwords such as “John1985” and “Tokyo2020” are easily guessed based on information published on social media. Cybercriminals often collect personal information about their targets from social media and public information and use it to guess their passwords, so be careful.

Reusable passwords

Using the same password for multiple accounts is also very dangerous. If one account is compromised, there is a high risk that other accounts will be compromised in a chain reaction. Cybercriminals commonly try leaked passwords on other services. To prevent this, it is important to set a different password for each account.

Passwords with these characteristics are attractive targets for cybercriminals. It is important for IT departments to take measures to encourage employees to avoid using passwords with the above characteristics.

In addition, if employees are not properly educated or rules are not in place, problems may arise in which passwords are not even set in the first place. Setting a password is a minimum security measure, but what specific measures can information system personnel take to achieve this?

3. How can we encourage users to set and use secure passwords?

Proper password management is a basic and important security measure for increasing security across the entire company, but in reality, many companies leave it up to their employees. In
order to properly manage passwords, it is necessary not only for information system personnel to take measures, but also for security awareness to be shared throughout the organization and for each employee to understand what a “secure password” is.

Here, we will introduce an easy first step that can be taken with the information systems department taking the lead, as a measure that can be implemented “without hassle,” “free of charge,” and “with certainty.”

Point 1: Setting password policies and password change reminders
Create a system that encourages users to use the policy and reminders

First, you need to build a system to make sure that strong passwords are used.
If the IT department just says, “Don’t set weak passwords,” employees may not understand the meaning and it may not get through to them. It is important to create a system that is not dependent on employees, combining automatic policy settings and continuous reminders, such as the one below.

● Use the “password requirement setting” function
For example, cloud services such as Microsoft 365 and Google Workspace have a “password requirement setting” function that enforces a combination of uppercase and lowercase letters, numbers, and symbols, and allows you to maintain a certain level of complexity. You can set it all at once from the management console for free.

● Calendar notifications to encourage regular password changes:
If you use a company calendar, you can set up a company-wide notification to encourage password changes every three months, for example. Furthermore, if you use an internal chat (Slack or Teams), it is also effective to send reminders to employees at the same time.

Point 2: Employee training

On the other hand, it is important not only to have a system but also to raise employees’ security awareness. Even if technical measures are taken, risks cannot be reduced unless the employees who actually handle passwords are aware of the importance of setting and using appropriate passwords.
Employee education can include regular security training and setting reminders (for example, reminder messages on internal chat tools) that make employees aware of the importance of password management on a daily basis.

As an example, here is some internal reminder text:

We also have a white paper below that you can use as content for security training. It explains not only password management but also security measures that employees should take and three points to help them understand the necessity of these measures. A checklist of measures is also included in the appendix, so please make use of it.

No matter how strong your password is, there is always a risk that it will be leaked.
In fact, there are many cases where passwords are leaked to the outside due to phishing emails or information leaks.
In such cases, multi-factor authentication (MFA) acts as a fortress to protect companies.
Multi-factor authentication is a mechanism that verifies the identity of a user through multiple authentication methods (password + authentication app + biometric authentication, etc.). By implementing this, even if a password is leaked, it is possible to prevent unauthorized logins by third parties, making it extremely effective in strengthening security.

In particular, it is considered necessary to prioritize the introduction of multi-factor authentication in the following situations:

• When accessing the company network from outside the company, such as via VPN
• When using cloud services such as Microsoft 365 or Google Workspace
• Highly confidential accounts such as internal portals, business systems, and management consoles

When implementing this system, you can use an authentication app that can be used on a smartphone (e.g., Google Authenticator, Microsoft Authenticator), which allows you to implement and operate authentication free of charge without incurring any costs.
In addition, many cloud services allow administrators to set policies that require multi-factor authentication in one go, reducing the risk of information leaks.

4. Password Management Supported by LANSCOPE

So far, we have introduced a DIY method for managing passwords in-house, but in reality, some tasks can be made overwhelmingly more efficient by implementing a system. Here, we will introduce how password management can be handled if you have implemented the IT asset management/MDM “LANSCOPE Endpoint Manager Cloud Edition.”

LANSCOPE Endpoint Manager Cloud Edition can unify password setting rules across the company , such as the number of digits and the use of letters, numbers, and complex characters. (※Windows OS is not supported)

iOS and macOS settings

• Minimum passcode length
• Do not allow simple values ​​(e.g. aaaa, 1234)
• Letters and numbers required
• Minimum number of non-alphanumeric characters
• Passcode validity period
• Prevent reuse of previously used passcodes
• Device initialization due to consecutive failed passcode entries*1
• Maximum time allowed before device lock begins
• Maximum time allowed before passcode is required when unlocking the screen
• Waiting time after failed login*2
• Force password reset*2

*1 For macOS, the account will be locked.
*2 Only macOS is supported.

Android settings (devices must be managed using Android Enterprise)

• Minimum password length
• What characters must be used?
• Password expiration period
• Proactive notification of password expiration
• Prevent reuse of previously used passwords
• Device initialization due to consecutive failed password entries
• Maximum time allowed before sleep begins