123456. Qwerty. Letmein. Is one of these your password? If it is, you're in big trouble!
But even if you didn't pick something so glaringly obvious, chances are your password isn't as strong as it should be. Computer and information security are only as strong as their weakest link, and in this article, we're exposing a weak link that affects everyone in an organization: passwords.
Despite the time and money your business might invest in IT, employee passwords are a very real vulnerability. Your computer security efforts can only protect sensitive information and personal data when strong passwords or passphrases are in place and employees are educated about information security. Especially remote employees and security issues that arise from working from.
Everyone online today has heard of the dangers of identity theft, hacking, and cyber fraud. Yet a 2016 study found that the two most commonly used passwords are the aforementioned "123456" and "password."
The list of most common passwords rounds out its top 10 with 12345678, 1234, 12345, qwerty, dragon, pu**y (fun fact–men are more likely to use obscenity in their passwords), baseball, and football. The familiar "letmein" ranked number 11.
So if one of those is your password, you're not alone. But that's not a good thing. And for businesses with employees using these predictable passwords, it can mean big trouble. Let's take a closer look at the risk this represents and set you up with some strategies for better password security.
"We have seen an effort by many people to be more secure by adding characters to passwords, but if these longer passwords are based on simple patterns they will put you in just as much risk of having your identity stolen by hackers."
Data breaches are reported daily. In 2016, the number of stolen credentials reached new records, with more than 3.3 billion records compromised due to methods such as breaches of company databases, malware injected directly onto users' devices, and successful phishing attempts.
The study further reported 9 out of 10 login attempts on many web and mobile applications could be attributed not to legitimate users, but rather to cybercriminals using automation to rapidly test millions of credentials.
And yet while cyber criminals are upping their game, adapting quickly, and even sharing information to turn any available data into profit, many computer users continue to believe they are unlikely to be hacked. Thus, they don't bother to select secure passwords. Some are even content to leave the factory-set default passwords unchanged, which can leave network and crucial infrastructure at risk.
At this point, the average user has 25 online logins across many different platforms. Think about all the accounts you use on a daily basis: your work computer, your Facebook account, email banking, the list goes on.
Do you have a distinct password for all of these accounts? Probably not. Plus, super-secure passwords are often also super-difficult to remember. Even so, the inconvenience of using a tricky password is far outweighed by risk to your company of using an easy one.
Tip: Regularly check that all default passwords have been changed on all system devices and software, prioritizing essential infrastructures such as routers, firewalls, and wireless access points.
Poor passwords are a major issue, not just in the US but around the world. After all, hackers and cybercriminals aren't slowing down their efforts at online crime — if anything they're getting savvier with malicious websites, ransomware, phishing attacks, and more.
According to Symantec's 2019 Internet Security Threat Report (ITSR), "cyber criminals revealed new levels of ambition in 2016" via international bank heists, disrupted elections, and state-sponsored attacks.
And though it's a global problem, the US is a high-value target. According to Norton's 2019 Cyber Security Insights Report, "The United States is the most susceptible developed country for cyberattacks, where 39 percent of Americans personally experienced cybercrime within the past year, compared to 31 percent of people globally."
Symantec's Global Intelligence Network is the largest civilian threat intelligence network in the world, recording events from 123 million attack sensors worldwide, blocking 142 million threats daily, and monitoring threat activities in more than 157 countries.
Business IT teams also face the challenge of securing a range of services. Consider ISTR's finding that "CIOs have lost track of how many cloud apps are at use in their organizations: their guess was 40, when in reality the number nears 1,000."
Compounding this risk is the fact that employees, who may not value security in the same manner as these overwhelmed CIOs, are regularly accessing these ungoverned apps. It's a lot to manage, and even more of a reason why you should care about password security and work to adapt best practices among your team.
Tip: Only implement passwords when they are necessary to reduce the burden on staff. Then, implement a sanctioned method of storing recorded passwords, to help users manage password overload.
Alright, so you know the risks. Now how do you make your passwords (and those of your employees) more secure?
We like the rules Massachusetts Institute of Technology (MIT) security team has in place for users setting new, strong passwords. Your team can implement something similar:
MIT also offers some great tips for creating an effectively strong password. These include:
You should also change passwords regularly—at least once a year. Changing your password every few months can provide even better protection against hackers.
Using a secure password manager can help you keep track of unique passwords and remind you when it's time to update them. Here's a great explainer on password managers and some suggested tools to help you keep up with them, like Dashlane, which is a favorite here at RedTeam Security.
Tip: Use account lockout, allowing users a set number of login attempts only, and protective monitoring to identify possible brute-force attacks.
No matter how long and complex the password, it doesn't protect against the human element. Attackers can discover a password by intercepting it as it's transmitted over a network or through social engineering—tricking a target into thinking the attacker is something or someone he's not.
Employees are downloading new malware every four seconds, according to Check Point research, which also found phishing attacks rising in volume and impacting 80% of the businesses surveyed.
Email and phishing social engineering can target your employees to divulge sensitive information that can be used subsequently for illicit access of mail, shared files, sensitive data, licensed software and more. Social engineering works because it typically involves psychological manipulation — the communication might invoke urgency, sympathy, or fear to lead the victim to reveal information, click a malicious link, or open an attachment with malicious content.
In fact, most malware isn't very "smart" at all! Only 3 % of the malware Symantec encounters is technically minded. The other 97% tries to trick users through a social engineering scheme (e.g. it looks like it comes from within the organization, or a vendor the employee might trust).
In 2014, for instance, a prevalent social engineering scam was one for a fake Dropbox password reset telling users their browsers were out of date and needed to updated; doing so launched malware. It's a common tactic from malevolent parties, who often try to engage your employees by pretending to be vendors, business partners, or even family members. Ugh!
According to Symantec's ISTR, businesses were at risk of Business Email Compromise (BEC) scams, which targeted over 400 businesses every day in 2016 and drained $3 billion over the last three years. That's a whole lotta cash lost to bogus emails.
Unknown malware downloads rose over 900% in 2016 with more than 970 downloads per hour compared to 106 previously. — Check Point
And there's one more thing that may be putting your password at risk: social media. Those family wall posts and cute photos of your cat can actually work against you; password hints that require pet name, high school mascot or mother's maiden name have become increasingly easy to compromise thanks to channels like Facebook.
The best defense? Educate your employees. Teach team members the warning signs when getting an email, phone call, or site visit asking for sensitive information while purporting to be credible by using information readily available on the internet.
Tip: Support password policies with user training that steers them away from predictable passwords, educates them of risks, helps them recognize phishing emails, and emphasizes the need to protect important information assets.
The late cryptographer Robert Morris offered the following sage advice: "The three golden rules to ensure computer security are: do not own a computer, do not power it on, and do not use it" ("A Short," 2017).
Funny—and scarily accurate. Unfortunately, it's not feasible in our modern world.
That's why many organizations benefit from the computer security insights of outsiders that can see the business's information security efforts from a fresh perspective. RedTeam Security can test for your web applications for vulnerabilities to help enhance your security posture, identify network penetration risks, and test for social engineering to provide an overarching view of the real-world security risks at your particular organization. Schedule a free consultation to learn more!