By Bill Minahan | August 7, 2019 | 0 Comments
One of the largest security threats companies face is weak passwords. Employees at all levels of a company, executives included, are guilty of using obvious and recycled passwords.
Passwords are the first barrier of security preventing hackers from infiltrating your accounts. Therefore, its essential passwords are strong enough to protect your data and your customer’s data. When a hacker cracks a weak password, they don’t just gain access to an individual account or device. They can gain access to your entire private network.
A weak password is one that’s easy to detect by both humans and computers. The current requirements most companies have in place to guide employees towards a “strong password” are not nearly enough.
80% of adults reuse passwords, which is a major security vulnerability. Regardless of how strong it is, it could’ve already been compromised. Hundreds of millions have had their personal information stolen in data breaches this year alone. It could already be for sale on the dark web. Unless a password is unique to every individual account you have, it’s a weak password.
Additionally, if your employees are using the same password they use to log in to their work computers elsewhere online, especially if they’re doing so on unsecured networks where free Wi-Fi is offered (like a coffee house or a retail store), they’re putting your organization’s security at risk.
Passwords should never include names, numbers, and words you identify with. It should never be part of your email, your child’s name, a birthday, a pet, etc. This is information that’s readily available online to a sophisticated hacker. In fact, you shouldn’t use dictionary words in general unless it’s a passphrase and it’s 5 words or longer.
People can’t be expected to create and remember dozens of unique, complex passwords. Instead, there are tools you can use. There are multiple password manager services that generate strong passwords for you and store them securely.
If your company isn’t utilizing these tools, it’s at risk.
How frequently you need to change your password depends on how complex it is in the first place. Which leads us to the next indication of a weak password.
A complex password should be at least 20 characters long—including letters (uppercase and lowercase), special characters, and numbers. If your password is 8 characters or less, it can be cracked in 58 seconds by password cracking software that is readily available on the internet. We recommend passwords to be 20 characters long and changed every 3-6 months. Weak passwords should be changed far more frequently.
Technically, any password, weak or strong, can be cracked. There is only a finite amount of characters on a keyboard. That means one combination of characters must be your password. With today’s computing power, trillions of combinations can be tried alarmingly fast.
Also known as a brute force login. Hackers use a trial-and-error method of consecutively guessing your password. Your company should have software that detects when a brute force attack is underway and takes direct action to block it, notify administrators of it, or both.
Ideally, lockouts should occur after an account has tried and failed to log in too many times. Unfortunately, many companies still don’t have this basic security feature in place.
In 2014, Apple failed to implement this feature and a myriad of leaked celebrity photos were distributed after a brute force attack.
Brute force attacks aren’t going anywhere anytime soon. In a world of botnets, scalable grids, and cloud infrastructure, computing power is cheap and easy to come by. The more computational power you have, the more prevalent and effective brute force attacks become.
That’s why we recommend multi-factor authentication (MFA) as well as all the tactics of avoiding weak password listed above.
Multi-factor authentication isn’t a substitute for a strong password. Despite recent discussions, it’s not bulletproof.
It should be used in combination with a strong password. It puts hackers through another ring of fire and offers you another layer of protection. At which point, most hackers will move on to an easier target. They will target the millions of employees out there with weak passwords and no MFA.
If your company or any of its third-party affiliates host private consumer data of any sort, there is no excuse for not implementing the extra layer of protection MFA provides.
Unfortunately, we are in an age where there’s a new data breach every day. Companies need to defend data and its right to remain secure.
Not every company deals with sensitive data, but most do.
As a result, MFA, password management, and intrusion detection are enough for some companies. However, depending on the nature of your work, your company could need more precautions or less.
The first step is to figure out where you stand. aNetworks offers a free cyber security assessment to detect the strengths and weaknesses of your cyber security.