“Why do I have to change my password so much?”
I hear this all the time from my clients. As annoying as password changing is, there is a lot of good that comes out of it. Password security importance is at an all-time high and we recommend 30, 60, or 90-day expiration cycles. These security provisions help with the prevention of cybercrime, for example, the incredibly devastating ‘crypto’ ransomware.
Crypto style ransomware encrypts data on a computer and demands the user to pay ransom, normally in the internet currency of bitcoin. If the ransom goes unpaid, and there are no backups to restore data from, that encrypted data is forever gone. The danger for most businesses is that if the infected computer is a business computer, network drives to the server can lead to encryption of all the data on the server. Imagine all your business files in the hands of a criminal, and if you don’t have recent backups, there is nothing you can do to get your business data back, that is unless a steep price is paid. ( One bitcoin is the equivalent to $1,500.) It should also be noted that companies that paid the ransom haven’t always gotten their data back.
In my experience, normally the accounts that get hacked are service-style accounts, such as print scanner accounts. Both the default passwords and the passwords generated for these accounts are normally not secure and can be guessed by simple password scripts (or password-guessing programs) that constantly test passwords on these accounts until the correct password is guessed. These scripts are so technical now that they will only try the allocated number of times before it locks the account to get by that security provision. Also, these account passwords are normally setup to never expire, so this is a huge security threat. If the password is guessed it can then be changed by the hacker. These service accounts can also be used on a VPN where a radius log in is setup, meaning you can access the VPN by your username and password.
If a cybercriminal can get on your VPN, they have full access to your internal network, where they can put the ransomware immediately on your network drives, encrypting your precious business data. This can be done by installing the ransomware immediately on to the network drives or through email attachments. Ransomware quickly encrypts data, but if you can catch it quickly sometimes not all data is lost. However, with that said, it is much better to prevent this from happening in the first place.
So as annoying as it may be, it is extremely important to have passwords on expiration cycles. Having to remember a new password is worth never having to pay a ransom to retrieve your data.