Anti-fraud group Profit is urging travel firms to reduce their reliance on computer passwords in its latest Counter Fraud Campaign 2019 email.
It suggests businesses should only use passwords except where necessary, such as for access to the company Wi-Fi, and use multi-factor authentication (MFA) for important accounts. This requires a password that is used along a text message, fingerprint scan or random number generator to access the account.
To reduce pressure on staff to remember multiple passwords, firms are advised to use single sign-in systems which allow employees access to everything they need to do their job after they have logged on.
Password systems can also be configured to allow a progressively increasing time-delay between log-in attempts, known as ‘throttling’, if users forget their password. This policy is preferred to ‘account lock-out’, according to Profit, which locks users out after several attempts and requires an access recovery method to be put in place.
Profit is also advising businesses to use security monitoring to detect abnormal activity; password blacklisting to avoid users choosing the most common passwords; protect passwords using HTTPS; protect the access management system to prevent attackers using it to get into the system; store passwords in hashed format (unreadable string of characters); prioritise security around important or vulnerable accounts; change all pre-set passwords on new apps and devices; and have facilities to store passwords.
It advises against enforcing regular password expiry, as this harms rather than improves security. Instead it suggests having an effective movers/leavers process in place; automatically locking out inactive accounts and monitoring logins for suspicious behaviour.
Shared access to accounts should also be carefully managed with only a small number of people allowed access to the password.
In terms of what passwords employees should use, the advice says they need to be strong (using numbers, letters, at least one capitalized, and symbols), memorable to the member of staff; unapparent to others; kept confidential; and changed periodically.
Among the words and numbers that users should avoid are: common names, names of close relatives, friends, pets, phone number, NHS number, address, postcode, anniversary, office number; acronyms, product names, name of a country, school, sports team, or name from popular culture.
The 25 most commonly used passwords are: