The humble password has long been the first line of defence against hackers in modern computing, but the increased use of digital technologies – such as the cloud, big data, mobile, Internet of Things and AI – has posed fresh challenges to companies when it comes to security, compliance and data protection.
Despite this progression, the password still has a vital role to play alongside other layers of technology; companies should not underestimate the value of good password hygiene.
In 2019, Verizon reported via its annual Data Breach Investigations Report (DBIR) that 81% of hacking-related data breaches involved either stolen or weak passwords. In fact, a 2019 State of Password and Authentication Security Behaviors Report, which compiled results from a survey of 1,761 IT and IT security practitioners stated that:
- 69% share passwords with colleagues to access accounts;
- 51% reuse passwords across their business and personal accounts;
- 57% who have experienced a phishing attack have not changed their password behaviors;
- 67% do not use any form of two-factor authentication in their personal life, and 55% do not use it at work; and
- 57% expressed a preference for a login method that does not involve the use of passwords.
The main risk with these above practices is password theft, in which the associated identity is stolen.
Common Techniques for Cracking Passwords
Dictionary attacks rely on software that automatically plugs common words into password fields.
Cracking Security Questions
Many people use the names of spouses, kids, other relatives, or pets in security questions or as passwords themselves. These types of answers can be deduced with a little research and can often be found on your social media profile.
Guessing Simple Passwords
The most popular password is 123456. The next most popular password was 12345. Other common choices are 111111 and abc123.
Reuse of Passwords Across Multiple Sites
When one data breach compromises passwords, that same login information can often be used to hack into users’ other accounts. Reusing passwords for email, banking, and social media accounts can lead to identity theft.
Social engineering is the act of manipulating others into performing certain actions or divulging confidential information. It can be employed to trick targets into disclosing passwords.
It only takes one breach at the right company for millions of usernames and passwords to become compromised.
Most users understand the nature of security risks related to easy-to-guess passwords. Password policies are a set of rules created to increase password security by encouraging users to create strong, secure passwords, and then store and utilize them properly.
Security Policies and Best Practices for Password Protection
Change Passwords Regularly
Although many businesses require passwords to be a minimum length, mix letter case and use numbers, the majority are failing to enforce any further password complexity requirements on employees.
The reality is the ‘traditional’ password is dead; it can be compromised far too easily. Many people tend to choose passwords based on how memorable they are, rather than as a measure to deter online intruders, and these same passwords are often shared across numerous accounts.
To avoid playing into the hands of hackers and to tackle poor password hygiene habits, employees should be encouraged to use passphrases, not passwords.
Hackers know this and run scripts that use these lists – both common password lists and stolen password lists – to automatically try many different username-password combinations on multiple websites. Try enough doors and, eventually, you’ll find one that can be unlocked.
The way to stay ahead of the hackers is to change passwords regularly, so that even if your password has been previously leaked, you’re already using a new one.
Use Passphrases Over Passwords
To avoid playing into the hands of hackers, and to tackle poor password hygiene habits, employees should be encouraged to use passphrases, not passwords.
Deploy Multiple Factors of Authentication
The use of multi-factor authentication (MFA) – including MFA apps – must also be encouraged. An MFA app generates a one-time password (OTP), also known as a token, that is valid for only 30 seconds. Even if hackers guess a user’s password, they won’t be able to guess a randomly generated OTP before it expires.
MFA apps also have end-to-end, military-grade encryption that remains secure even over untrusted networks – unlike OTPs, which are sent via SMS.
However, MFA apps should only be used on phones that haven’t been jailbroken, since they can contain malware that can intercept OTPs and send them to hackers to login to apps.
Conduct Regular Security Training
Whether it’s a loss prevention associate or a manager, every employee requires some level of cybersecurity training. These training sessions should be focused on providing employees with information on the risks associated with accessing schedules, training materials and other data on personal and company devices, so they can be aware of current threats. It is critical for this training to provide clear links between how these issues impact their workday and personal lives.
Around 53% of companies have some form of security awareness training in place. Insider attacks are regarded as the most dangerous and they often emanate from a non-malicious, uninformed employee. Without security awareness, these employees can browse websites with malware, open and click on phishing emails, store their login credentials under their desk, give information to malicious third parties in a social engineering attack and so on.
Implement Single Sign-On
Implementing operating systems that offer single sign-on (SSO) functions is another sure-fire way of cleansing a company’s password hygiene. SSO is an authentication process that enables employees to access their applications using just one set of login credentials.
While this service provides convenience for its users, it can also help ensure the right employees are accessing the appropriate documents. This is possible as IT managers have control over application provision and can authorize access for the appropriate individual on the appropriate applications depending on the needs of their job role – protecting sensitive data from getting into the wrong hands.