NEWS ANALYSIS: The National Security Agency could have at least limited the damage of Edward Snowden’s leaks if it had strictly enforced password security.
Pretty much everyone knows that passwords aren’t supposed to be shared. Passwords exist to protect your information and your employer’s information from being seen by people who shouldn’t see it and could cause serious damage if they do access it.
This is why you have a strong password on your banking information (you DO have a strong password on your bank account, don’t you?)
So how is it that Edward Snowden managed to get the passwords that gave him access to thousands of secret documents? According to a story from Reuters, Snowden did it in the easiest way possible.
He asked for it.
But of course there’s more to it than that. What Snowden did was tell a couple dozen of his co-workers that he needed their passwords because he was a system administrator. Those co-workers, knowing that Snowden was fully cleared, figured it was safe, and gave him the passwords. Snowden used that trust to raid the NSA files of everything he could find.
Leaving aside the propriety of what Snowden did, the fact that he was able to get the information he did with other people’s log-in information speaks volumes. Perhaps more important, it speaks those volumes directly to you and your employer.
Snowden exploited a weakness that exists at nearly every company or organization and which can be overcome only by having the right security policies and the right training. That weakness is trusting the wrong people at the wrong time.
The obvious question is how this applies to you and your organization.
After all, the chances are pretty good that you’re not sitting on a pile of state secrets. But the chances are that your company has plenty of information that has value to your competitors, to criminals or to people who want to use that information for other dubious purposes. Do you really want the outside world to see your customer list? Your financial statements? Your supply chain or manufacturing details? Probably not.
Unfortunately, if you lose control of your organization’s passwords, you’re doing just that. But you can limit the problem by implementing some basic practices, making sure your staff is trained and then retrained frequently.
Here are some things you can do:
1. Require passwords that are hard to guess, but don’t go overboard.
If you require passwords that are too complex, nobody will remember them. You know what happens next—yellow sticky notes on their monitors. That doesn’t really help security.