We often find our clients will push back on us about password policies. People are concerned if we roll out a password policy that users will forget their passwords and it will be inconvenient for them. We usually joke and say it’s much more convenient to leave your car or house unlocked too, but probably not a good idea. Well last Friday Citrix found out how embarrassing (and financially damaging to their stock) a weak password policy can be. You can read the full article below about their recent breach but the important part to know is how the hackers got in;
“The FBI advised Citrix that the hackers likely used a tactic known as password spraying, where the threat actor tries a single commonly used password against many accounts. If unsuccessful, additional common passwords will be tried until the accounts are accessed.”
It seems so simple but a password like “password” or “p@$$w0rd” could be what gives a hacker the keys to your kingdom. So what can you do?
- Have a written password policy and have it enforced throughout your network. Include a maximum age, minimum length, and password complexity. This should be audited regularly. This is part of our standard, regularly scheduled best practice audits.
- When you roll this out explain to your team why this is important and in their best interest. Remind them they should adopt these same principles with their personal accounts as well.
- Leverage a tool like LastPass to manage your user accounts and passwords. It can run on multiple desktops, laptops, tablets and phones. Use it to randomly generate passwords for you since you don’t have to remember them. You can even pass through your personal LastPass account through your company LastPast account.
For our clients we regularly monitor the dark web for “known good” user accounts and passwords associated with their company. If we detect any we immediately take action on those accounts to prevent a future breach. If you feel you may be at risk or have further questions about security related issues like this please don’t hesitate to call or email me directly.
Also note, it is not believed that the Citrix software itself was compromised. It appears the hackers only stole corporate documentation and did not go near the source code.