In honor of World Password Day, we’re doing our part to help keep your business secure by discussing the good, the bad, the ugly and the critical about passwords.
Let’s face it: between all the logins we need for work and all the accounts we use in our personal lives, there are too many passwords to remember. So many of us do what seems natural—use the same password for multiple accounts. After all, especially with corporate password policies, most employees use strong passwords with a mix of numbers, lowercase and uppercase letters, and special characters.
Still, what about all those sticky notes we have “secretly” hidden in locations probably not far away from our devices? That security risk is only the tip of the iceberg. Because according to a 2019 Lastpass survey, US employees working in mid-sized corporate businesses must manage approximately 75 passwords for work. Unsurprisingly, employees recycle passwords 13 times on average.
In other words, employees are using the same passwords over and over. And in many cases, especially for corporate applications and resources that lack strong password requirements, some passwords just aren’t strong enough. Cybercriminals know this, and it’s why breaches happen.
If hackers get access to your trusted data, the ramifications can be dire. The costs of a data breach go well beyond financial, and include damage to your company’s brand, trust and reputation.
Why do we need stronger and longer passwords?
As malware, phishing, and ransomware continue to skyrocket, we must understand that the password is the primary method for attackers to gain access to corporate systems.
Phishing passwords may be the easiest method, but passwords can also be cracked. The stronger the password, the harder it is for cybercriminals to decode. In a typical attack—the brute force password attack—attackers will use software that quickly attempts every possible password combination of numbers, letters, and symbols.
These software programs get better as computing power increases. For example, an eight-character strong password was not long ago considered secure and difficult to crack. Today, it can be cracked in eight hours. But if we tack on two more characters to make it ten-character, cracking the password can take approximately five years.
Why do we need unique passwords for every login?
As mentioned above, phishing is one of the simplest ways for hackers to steal our passwords.
If you think your company has been victimized by phishing, malware, or ransomware, perhaps you’ve taken steps to reset those passwords. But the security risk here is if employees are using the same passwords for different apps, sites or resources.
Have you heard about credential stuffing? With credential stuffing, attackers take username and password combinations they already know (which have been stolen or paid for on the dark web) and try them everywhere they can. Use of credential stuffing is escalating, and businesses of all sizes should take note. This type of attack is only successful if and when employees use the same password for different logins.
What about password managers?
Managing all those passwords doesn’t have to be complicated. A password management system is software that keeps an up-to-date list of all your passwords and logins, using a master password to access the password “vault”. That master password is the only one you need to remember.
What if a hacker accesses your vault? Isn’t that riskier?
Sure, there is undoubtedly an element of risk, but it’s critical to think in terms of relative safety. As a general rule, using some type of password manager (there are several popular solutions available)) is more secure than not having one. Achieving complete security on the internet today is not feasible. Organizations must always consider risk, and password managers reduce risk.
Remember, most cybercriminals are looking for easily hackable targets and low-hanging fruit.
Password safety tips and best practices
A strong password is perhaps the most critical tip for preventing attacks like brute force. Remember, eight characters doesn’t cut it anymore, although it’s certainly better than the most common password found in a recent Nordpass study. Sadly, the most popular password eight years running is none other than… “123456.” Also in the top 10 are “12345678”, “123456789” and even “1234567890.” The password “password” was the fourth most popular.
For your strong password, think of it more like a pass phrase or even pass sentence—not a word. It should, of course, contain a mix of numbers, letters, special characters. A good strategy is to take several unrelated words and put them together, adding a few characters in the mix. For example, “Walking88Dog%coffee” would be difficult for hackers to crack.
Some security experts suggest making your master password a 25-character passphrase if you're using a password manager. It may sound long, but if you only need one password, it’s not so bad.
Strong passwords aside, here are several best practices your organization should employ.
Multifactor authentication (MFA) is a *must have*. With MFA, the password may represent the first factor in the multi factor process. The second part of the process is typically a code sent through email or text message (like when logging into your bank), but may also be a fingerprint scanner, face recognition or a physical token. While MFA isn’t un-hackable, cybercriminals would need physical access to your device to hack you in most cases.
Minimize login attempts. Don’t be too generous with the number of unsuccessful password attempts to access your systems. The fewer tries available for employees (within reason), the less chance for hackers to keep trying new passwords.
When logins are unsuccessful, lock accounts. Much like minimizing logins, this strategy will give hackers a reason to give up and move on to their next target. You can also limit the time between unsuccessful logins.
Do not share your passwords. Sharing login credentials may sound like it will save time and or money, but the savings won’t come close to the costs of a data breach if any of those passwords are stolen.
Be sneaky with your secret questions and answers. Social media is a treasure trove of personal information, and hackers may easily guess some of the secret questions if you fill them out with easy answers. Use information that very few people know, or simply make things up with answers only you know.
Finally, and most importantly, foster a corporate culture of security awareness. When users are made aware of the risks associated with bad passwords and poor security habits, everybody wins. Make them feel involved and engaged with your awareness program. Good cyber hygiene should be part of your culture and taught to employees and contractors on a regular basis.