Are Poor Password Habits Putting Your Organisation at Risk?
Your organisation has introduced a new application that requires another password to login. You feel exasperated as it’s an additional piece of information to remember in your busy working day. Surely, reusing a password created from your birthday and pet’s name, that you love to share pictures of on social media, is fine. You’ll never forget it as it’s neatly written on a Post-it Note attached to your PC screen. Changing the temporary password to one used for both your personal and professional online accounts, you assume nothing bad can happen.
Returning to your desk the following day, it’s time to finish those quarterly reports for this week’s board meeting. Sitting down at your computer you find your PC is already logged in and your critical data files have gone. Someone has gained access to your computer. Feeling a fool, you realise you shouldn’t have used the same easily accessible password and now both your professional and personal data is vulnerable.
Passwords are traditionally the first line in defence for companies, with on average, small businesses having to remember up to 85 passwords1. As a result, it’s easy to understand why users suffer from password fatigue. When creating logins, it’s important to remember that these passwords are the gateway to your sensitive data. Practicing good password hygiene plays a part in maintaining strong IT security to ensure your information remains secure. Follow along below as we discuss common password mistakes, how to create a secure password and the untold damage poor password use can cause.
Common Password Mistakes
According to a recent survey 77% of people reuse passwords. Like 64% of employees, you may think that as you have Multi-Factor Authentication (MFA) in place, a weak password is no big deal. You are incorrect! Hackers are able to find workarounds for these additional authentication mechanisms enabling them to gain access to sensitive information2. Choosing an uncrackable password that can outsmart a potential attack is incredibly important.
Even if you vary the passwords you use, not all are fit for purpose. It’s been shown that 21% of people still create a password from their pet’s name, favourite sports team or important dates2. If you share these details on social media this information might be readily available to hackers, giving them a better chance of deciphering your password. Here are some other common mistakes that can be made when using and creating passwords:
- Using the same password for all online accounts
- Varying the password by a single character
- Sharing or openly storing passwords
- Using personal information in passwords
- Using short passwords
- Substituting numbers for letters
- Using recognisable keystroke patterns like ‘qwerty’
- Storing passwords in plain text
Using these less-complex measures to create passwords can lead to your login credentials becoming easily compromised. The amount of harm caused will depend on the level of information accessed, how long the breach remains undetected, the strength of your IT security and if your systems have suffered further malicious attacks. Business losses may include data and money, but it could also have a detrimental effect on your organisation's reputation. Below are some examples of how passwords can be discovered3.
Interception - Passwords can be intercepted as they travel over a network.
Brute Force - Automated guessing of billions of passwords until the correct one is found.
Key Logging - Installing a keylogger to intercept passwords when they are entered.
Manual Guessing - Details such as dates of birth or pet names can be used to guess passwords.
Shoulder Surfing - Observing someone typing in their password.
Stealing Passwords - Insecurely stored passwords can be stolen, such as ones written on sticky notes and kept near (or on) devices.
Stealing Hashes - Stolen hash files can be broken to recover the original passwords.
Phishing and Coercion - Using social engineering techniques to trick people into revealing passwords.
Data Breaches - Using the passwords leaked from data breaches to attack other systems.
Password Spraying - Trying a small number of commonly-used passwords to access a large number of accounts.
Users are able to check if their password has been exposed in a data breach on sites such as Have I Been Pwned?.
How to Improve Password and IT System Security
Having a strong, separate password for each of your online accounts means if cyber criminals do gain access using one login, they won’t have access to every account. The NCSC recommends creating passwords using three random words, numbers and symbols can still be used if required. An example would be ‘3redhousemonkeys27’. As we mentioned before never use your personal details to create a password. Passwords are just one way to protect your data, here are some other ways you can improve your system security4.
Reduce reliance on passwords
Only use passwords where needed, consider using alternatives such as Single Sign-On (SSO), hardware tokens and biometric solutions. Implementing MFA for important accounts can add an extra layer of security to protect your data.
Implement technical solutions
Apply account locking after 5 - 10 login attempts to defend against Brute Force Attacks. Blacklisting common passwords will prevent users from adopting them.
Secure all passwords
Ensure web applications that require authentication use HTTPS. Prioritise admins, cloud accounts and remote users ensuring management systems and user databases are protected. Always choose products and services that protect passwords using known standards such as SHA-256.
Help users generate strong passwords
Educate staff on the different ways to generate passwords. Password generators can help users to create strong passwords avoiding the use of shorter passcodes. Avoid using complexity requirements and artificial capping of password length.
Help users cope with password fatigue
Allow users to store passwords using a password manager and only ask them to change their passwords if you feel they have been compromised. Avoid password sharing, if there is a requirement ensure additional controls are in place.
Invest in staff training
Help users understand password best practices through structured training. This will benefit both employees and your organisation, helping to avoid any costly mistakes.
Ready to Enhance Your Password Security?
One of the best ways to improve your organisation’s password security and ensure your employees don’t make costly errors is to implement a company-wide security training campaign. NCI Technologies offers innovative automated email and web-based cybersecurity training for small and medium businesses. For more information on making your users the last line in defence against cybercrime visit our cybersecurity awareness training page here. Alternatively, you can contact our friendly sales team to see how we can help support your business.
2 Tessian – How to Hack a Human
3 NCSC Password Policy – Advice for System Owners Infographic