123456. Qwerty. Letmein. Is one of these your password? If it is, you’re in big trouble!
But even if you didn’t pick something so glaringly obvious, chances are your password isn’t as strong as it should be. Computer and information security are only as strong as their weakest link, and in this article we’re exposing a weak link that affects everyone in an organization: passwords.
Despite the time and money your business might invest in IT, employee passwords are a very real vulnerability. Your computer security efforts can only protect sensitive information and personal data when strong passwords or pass phrases are in place and employees are educated about information security.
Everyone online today has heard of the dangers of identity theft, hacking, and cyber fraud. Yet a 2016 study found that the two most commonly used passwords are the aforementioned “123456” and “password.”
The list of most common passwords rounds out its top 10 with 12345678, 1234, 12345, qwerty, dragon, pu**y (fun fact–men are more likely to use obscenity in their passwords), baseball, and football. The familiar “letmein” ranked number 11.
So if one of those is your password, you’re not alone. But that’s not a good thing. And for businesses with employees using these predictable passwords, it can mean big trouble. Let’s take a closer look at the risk this represents and set you up with some strategies for better password security.
“We have seen an effort by many people to be more secure by adding characters to passwords, but if these longer passwords are based on simple patterns they will put you in just as much risk of having your identity stolen by hackers.” — SplashData
How are passwords compromised?
Data breaches are reported daily. In 2016, the number of stolen credentials reached new records, with more than 3.3 billion records compromised due to methods such as breaches of company databases, malware injected directly onto users’ devices, and successful phishing attempts.
The study further reported 9 out of 10 login attempts on many web and mobile applications could be attributed not to legitimate users, but rather to cybercriminals using automation to rapidly test millions of credentials.
There are many ways passwords can be compromised:
- Someone with malevolent intent can target an individual employee or your business in order to access personal or business accounts.
- Criminals might employ social engineering (like phishing or employing mirror sites).
- Hackers guess credentials using information many rely on to form the password such as name, date of birth, or pet name.
- Criminals can find passwords stored insecurely onsite (e.g. written on a stickie note affixed to a desktop or hidden close to the device).
- Hackers may attempt to access the business system via a brute-force attack, which systematically runs through all password possibilities until an opening is found.
- Fraudsters might install a key logger to intercept passwords as they are entered into a device or search the IT infrastructure for electronically stored password information.
Yikes! That’s a lot to deal with.
And yet while cyber criminals are upping their game, adapting quickly, and even sharing information to turn any available data into profit, many computer users continue to believe they are unlikely to be hacked. Thus, they don’t bother to select secure passwords. Some are even content to leave the factory-set default passwords unchanged, which can leave network and crucial infrastructure at risk.
At this point, the average user has 27 online logins across many different platforms. Think about all the accounts you use on a daily basis: your work computer, your Facebook account, email banking, the list goes on.
Do you have a distinct password for all of these accounts? Probably not. Plus, super-secure passwords are often also super-difficult to remember. Even so, the inconvenience of using a tricky password is far outweighed by risk to your company of using an easy one.
Tip: Regularly check that all default passwords have been changed on all system devices and software, prioritizing essential infrastructure such as routers, firewalls, and wireless access points.
Poor Passwords = Big Trouble
Poor passwords are a major issue, not just in the US but around the world. After all, hackers and cybercriminals aren’t slowing down their efforts at online crime — if anything they’re getting more savvy with malicious websites, ransomware, phishing attacks and more.
According to Symantec’s 2017 Internet Security Threat Report (ITSR), “cyber criminals revealed new levels of ambition in 2016” via international bank heists, disrupted elections and state-sponsored attacks.
And though it’s a global problem, the US is a high-value target. According to Norton’s 2016 Cyber Security Insights Report, “The United States is the most susceptible developed country for cyberattacks, where 39 percent of Americans personally experienced cybercrime within the past year, compared to 31 percent of people globally.”
Cybercriminals launched over one million web attacks against Internet users every day in 2015. — Symantec
Business IT teams also face the challenge of securing a range of services. Consider ISTR’s finding that “CIOs have lost track of how many cloud apps are at use in their organizations: their guess was 40, when in reality the number nears 1,000.”
Compounding this risk is the fact that employees, who may not value security in the same manner as these overwhelmed CIOs, are regularly accessing these ungoverned apps. It’s a lot to manage, and even more of a reason why you should care about password security and work to adapt best practices among your team.
Tip: Only implement passwords when they are necessary to reduce the burden on staff. Then, implement a sanctioned method of storing recorded passwords, to help users manage password overload.
Alright, so you know the risks. Now how do you make your passwords (and those of your employees) more secure?
We like the rules Massachusetts Institute of Technology (MIT) security team has in place for users setting new, strong passwords. Your team can implement something similar:
- It must be different from your current password.
- It must be 8 characters or longer.
- It must not be a word that appears in the dictionary.
- It must contain characters from at least two different character classes (upper- and lower-case letters, letters and symbols, letters and numbers, etc.)
MIT also offers some great tips for creating an effectively strong password. These include:
- Remove all the vowels from a short phrase in order to create a “word.”
Example: llctsrgry (“All cats are gray”)
- Mix letters and non-letters in your passwords. (Non-letters include numbers and all punctuation characters on the keyboard.)
- Transform a phrase by using numbers or punctuation.
Examples: Idh82go (I’d hate to go), UR1drful (you are wonderful).
- Add random capitalization to your passwords. Capitalize any but the first letter.
- A random mix of alphabetical, numeric and symbolic characters.
Example: eIeIoH!, o.U.Kid
- Long word and number combinations. For example, take four words, and put some numbers between them: stiff3open92research12closer
- An acronym for your favorite saying, or a song you like.
Example: GykoR-66 (Get your kicks on Route 66) or L!fNYisn! (Live! From New York it’s Saturday Night!) (“Strong Passwords,” 2016).
You should also change passwords regularly—at least once a year. Changing your password every few months can provide even better protection against hackers.
Using a secure password manager can help you keep track of unique passwords and remind you when it’s time to update them. Here’s a great explainer on password managers and some suggested tools to help you keep up with them, like Dashlane, which is a favorite here at RedTeam.
Tip: Use account lockout, allowing users a set number of login attempts only, and protective monitoring to identify possible brute-force attacks.
Social Engineering and Password Threats
No matter how long and complex the password, it doesn’t protect against the human element. Attackers can discover a password by intercepting it as it’s transmitted over a network or through social engineering—tricking a target into thinking the attacker is something or someone he’s not.
Employees are downloading new malware every four seconds, according to Check Point research, which also found phishing attacks rising in volume and impacting 80% of the businesses surveyed.
Email and phishing social engineering can target your employees to divulge sensitive information that can be used subsequently for illicit access of mail, shared files, sensitive data, licensed software and more. Social engineering works because it typically involves psychological manipulation — the communication might invoke urgency, sympathy, or fear to lead the victim to reveal information, click a malicious link, or open an attachment with malicious content.
In fact, most malware isn’t very “smart” at all! Only 3 % of the malware Symantec encounters is technically minded. The other 97% tries to trick users through a social engineering scheme (e.g. it looks like it comes from within the organization, or a vendor the employee might trust).
In 2014, for instance, a prevalent social engineering scam was one for a fake Dropbox password reset telling users their browsers were out of date and needed to updated; doing so launched malware. It’s a common tactic from malevolent parties, who often try to engage your employees by pretending to be vendors, business partners, or even family members. Ugh!
According to Symantec’s ISTR, businesses were at risk of Business Email Compromise (BEC) scams, which targeted over 400 businesses every day in 2016 and drained $3 billion over the last three years. That’s a whole lotta cash lost to bogus emails.
Unknown malware downloads rose over 900% in 2016 with more than 970 downloads per hour compared to 106 previously. — Check Point
And there’s one more thing that may be putting your password at risk: social media. Those family wall posts and cute photos of your cat can actually work against you; password hints that require pet name, high school mascot or mother’s maiden name have become increasingly easy to compromise thanks to channels like Facebook.
The best defense? Educate your employees. Teach team members the warning signs when getting an email, phone call, or site visit asking for sensitive information while purporting to be credible by using information readily available on the internet.
Tip: Support password policies with user training that steers them away from predictable passwords, educates them of risks, helps them recognize phishing emails, and emphasizes the need to protect important information assets.
Summing It Up
The late cryptographer Robert Morris offered the following sage advice: “The three golden rules to ensure computer security are: do not own a computer, do not power it on, and do not use it” (“A Short,” 2017).
Funny—and scarily accurate. Unfortunately, it’s not feasible in our modern world.
That’s why many organizations benefit from the computer security insights of outsiders that can see the business’s information security efforts from a fresh perspective. RedTeam Security can test for your web applications for vulnerabilities to help enhance your security posture, identify network penetration risks, and test for social engineering to provide an overarching view of the real-world security risks at your particular organization. Schedule a free consultation to learn more!
Fun Facts about Passwords
- Fernando Corbató is recognized as the founder of the modern computer password. He developed the password concept to help keep individual files private on MIT’s shared common mainframe in the 1960s.
- Bill Gates declared the password dead back in 2004 — guess prognostication isn’t his strongpoint.
- An analysis of 11 million stolen passwords found the same 20 passwords constituted 10.3% of the passwords in use.
- Combining alpha and numeric characters dramatically increases security. A string of nine letters can be cracked in milliseconds. Adding a single letter can take a password cracker nearly four decades (unless you’ve simply swapped an e for a 3, that’s a predictable gambit that will be guessed more quickly).
- Passwords ride the trends too; Star Wars-related passwords were big in 2015 for instance.
- Women suffer hacking more often than men, as they tend to use words found in a dictionary. Men, meanwhile, are more likely to use obscene words or sex vocabulary.