123456 was the most commonly used password of 2016 in enterprises, according to a recent article in CIO Dive. Really. In fact, “Despite continuous warnings about the importance of password security, almost 17 percent of computer users used the password “123456” in 2016.” Second most popular? “123456789”
In a recent conversation with Rockwell Collins’ Nick Burgart, Principle Engineering Manager, and Anthony Massaro, Senior Cyber Security Architect, we discussed cyber security and the elemental need for secure passwords, specifically as it relates to military training. Luckily, as Anthony pointed out, on the public-sector side of the house, 123456 just wouldn’t fly.
“Security is elemental in the training environment, and participants are required to have very difficult usernames and passwords,” Massaro said. “If they don’t, they will get locked out. Everyone who participates knows that as soon as they log onto a computer or their training environment and see that DoD [Department of Defense] banner, that they are required comply with certain security measures. They also know their actions are being audited and being logged.
“Systems must include security monitoring tools, such as auditing and user account management,” Massaro continued. “If a breach occurs, you will be able to follow the trail and find out who was trying to be malicious on the system.”
Burgart concurred and said that setting requirements up front and getting team buy in is crucial to a successful cyber security practice. “Cyber security is not just one single requirement that has to be dealt with, it’s an overarching idea that has to be built into the architecture and culturally drive how to work on a day to day basis.
“Industry must treat cyber security as more of an architectural role, rather than ‘this is one person’s job,’” Burgart continued.
As both Massaro and Burgart shared, the simplest best practice in cyber security is to make your passwords as long as you can possibly remember, with as much variation.
“Industry must increase that elemental cyber measure by layering on two-factor authentication,” Massaro shared. “Users should not only meet very specific requirements surrounding their user account and password, but they also may soon need to provide a fingerprint or eye scan to access their files, or, provide an access token. Two-factor authentication is becoming one of the more important requirements out there when delivering a DoD device.
Both Massaro and Burgart said that working with the DoD requires much more stringent cyber oversight than working in the private sector, Industry should constantly build on their cyber security strategy and architecture and look for ways to advance on the security accreditations they already have in place.
Burgart explained. “Corporations can’t implement a solution and say ‘There, we’ve done it. We’ve eliminated cyber security as a problem.’
“It just doesn’t work that way, there needs to be continual training and the resources available to keep updating architectural and cyber strategy as we become aware of new threats.”
While strong passwords are still a challenge on the private-sector side – leaving millions at risk for breaches – Burgart and Massaro say that Industry must goes way beyond 123456 passwords to implement an operating system change, or accept a patch or virus update and continually update cyber security measures on training devices and systems for new and evolving cyber threats.