By Scott Anderson, Manager of Compliance at IT Weapons
Computer passwords first popped up almost 60 years ago, and in the decades that followed, they have constantly been compromised. While there has been enormous technological improvements around password security since then, passwords continue to be abused, stolen, misused, and compromised. Recent investigations and reports highlight that weak or stolen passwords were involved in over 80% of password breaches in 2017, and a Google study highlighted that in 2017, 3.3 billion credentials were stolen during third party breaches, many as a result of poor password security best practices.
How Did the Bad Guy Get My Password?
Sadly, most people choose to ignore password security in favour of convenience. This leads to weak, easy to guess passwords that hackers can simply guess. Last year, an examination of more than five million passwords leaked on the internet shows that the number one password used was….wait for it….”123456.” Number two on the list…the iconic and simple “password.”
When it comes to third party security breaches, every application or service we access online requires a password. I counted, and I have 62 passwords, not including work related passwords. One study indicated the average business employee has to keep track of 191 passwords. Online services and applications are getting breached on a regular basis, giving criminals lots of email and password combinations that they can abuse.
Because we all have so many passwords to remember, we tend to reuse them for multiple services. If someone knows my email address and password for XYZ.com, they can then try it on ABC.com and it might work. This study on password habits showed 73 percent of online accounts used duplicate passwords, and over 50% of users had five or less passwords for all their online accesses, which is a big-time security password no-no. This gets scarier if passwords are shared between work and personal use.
Even worse, hackers who have stolen password databases that contain encrypted passwords can utilize advanced tools and high-performance computing resources to figure out the passwords. A file of 500 encrypted 8-character passwords can be cracked in a matter of hours or less. These password cracking tools and dictionaries were built with an understanding of how we generally use passwords. They know that we will usually capitalize the first letter, add numbers or symbols as the end, replace an E with 3 or an a with @.
What Can Be Done?
Password policies is one of the best ways to improve password security. Require that employees use long passwords with complexity. Also, try using passphrases instead of passwords.
How can we remember these long passphrases over 50 different websites? Try using a password manager. There are a number of reputable password managers for personal or professional use, some free and some with a cost associated, but they are one of the best ways to handle this problem. There is a trade off with having all your passwords in one place if that password manager itself was compromised, but you can mitigate by using one very long difficult passphrase to manage the password vault, evaluating which tool you’ll use, or implement an on-premise system in your organization.
Using multifactor authentication (MFA) is another great way to limit the impact a stolen password can cause. MFA is when a user has to use a password and another method to access a system. Most online services today offer this, whether you receive a text with a code or an authenticator app (Google, Microsoft). Within your organization, there are multiple options and at the least, you should ensure employees use MFA when connecting to your network remotely or accessing critical systems.
Monitor accounts in your organization. Especially accounts that have administrative access or access to sensitive information. If these passwords are compromised, they provide criminals much deeper access into your network. You can also monitor where passwords related to your employees are breached or for sale on the web or dark web and ensure you get them changed before they can be abused.
For more information on our security assessment and training solutions, let us know!