Passwords For Primary Protection Are No Longer Valid. Now What?

According to a recent article in the Wall Street Journal, the man who literally wrote the book on password management, Bill Burr, admitted that the password as primary protection is no longer valid.  Burr was the author of a 2003 report that recommended using numbers, obscure characters and capital letters, along with regular updating, for increased security.  Now, according to the article, he says he “blew it”.

Despite his confession, passwords still play an important role in security today – but they are not enough alone.

If you are the owner of a business, or several businesses, for instance, you are no doubt more than a little busy.  Maybe even too busy to closely manage the various passwords you use for favorite web sites and your apps.  If you tend to use the same, or similar, passwords for more than one site, or if a password is your only tool for credentials and authentication, you could be putting your organization – and yourself – at risk for identity theft and/or a security breach.

Obviously, the notion of the password as the first, and sometimes only, line of defense has become limited.  Passwords have a place, but should not be used in isolation.  If you think about it, passwords came into play more than 20 years ago as the Internet started to become more popular and email took over the primary mode of interpersonal and business communications.  Impressive, considering there aren’t too many technology solutions developed 20 years ago that are still relevant.  However, cybercrime is now an industry that’s becoming more sophisticated every day.  Why would we expect a 20-year old solution to still be effective in 2018?

As a business owner, you are at particular risk for credential-based attacks.  You have access to valuable company data and attackers may assume – often with accuracy – that you may not have adequate levels of security in place.  And if you are attacked through a password theft and you use the same password for multiple websites, watch out.  Your most intimate personal records – bank accounts, investment portfolios, etc. – could all be at risk.


So What Should You Do?

First of all, you don’t want to rely on passwords as your only line of defense.  You should have at least two-factor authentication and, realistically, multi-factor authentication.  This kind of authentication can be thought of as three levels: Something you know, something you are, something you have.  The password fits into the category of “something you know”, and, because you are likely to continue using passwords as one method of security protection, you should take the time and care to manage them closely and not keep using the same word and character patterns over and over again.

Next, biometrics have become a widely used method of authentication in the category of “something you are”.  If you have an iPhone 5s or later, you are probably using touch ID, so you are aware of how simple it is to use and how commonplace it has become.  Often two-factor authentication – password and biometrics – might be enough, but industry best practices are moving toward multi-factor authentication.  This would also include “something you own”, such as a security token.

As a business owner, it is important that you remain vigilant.  If your company only requires passwords, press the issue and, if necessary, refuse to use platforms that you think could be vulnerable.  If you aren’t sure about your company’s security vulnerabilities, BIS is here to evaluate any threats and keep your business safe from cybercrime.

Cybersecurity is only as strong as its weakest link – and you don’t want that weakest link to be you.  Make sure you have authentication protections that go beyond passwords – and make sure two-factor or multi-factor authentication become standard practice with your business.  The risks are too far great to ignore.  For more information or to schedule an evaluation, contact us.


4 Cyber Security Predictions for 2018

5 Deadly Mistakes You Are Making With IT Security

Phillip Long – CISSP, CEO of , along with his team of marketing and information technology experts, will walk you through an overview of what your business should be doing to protect your data and plan your digital marketing strategies.



is the technology leader on the Gulf Coast and is comprised of four divisions: Information Technology, Web Design & Digital Marketing, Office Equipment and Business Consulting. Together these divisions help local businesses exceed expectations and allow them to group to their full potential while minimizing risks. To learn more about , visit

You may reach out to us at:
Phone: 251-405-2527