Cloud computing has seen rapid adoption since 2020, with more people working remotely than ever before. One interesting study highlighted that 80% of IT leaders had increased their overall cloud usage. However, while this technology has undoubtedly changed the way organizations operate for the greater good, this has come at a cost, with IT teams having far less control and access.
One issue many businesses are struggling with is weak passwords, and while most companies acknowledge that this is a security risk, only 35% of companies are concerned about the accidental exposure of credentials.
So, why should you pay close attention to password hygiene? Here are some reasons:
- “123456” and “qwerty” are still some of the most commonly used passwords worldwide and can be cracked in less than a second (Cybernews)
- Around 31% of users update their passwords at least 1 – 2 times a year, while only 18.5% change theirs even if they’re notified of any security issues (Digital Guardian)
- Three-quarters of Americans struggle to keep track of their credentials (Google)
- The FBI highlighted that $4.2 billion was lost in 2020 due to cybercrime, increasing the five-year total to $13.3 billion (The IC3)
- 61% of breaches involved credential data (Verizon)
- 55% of IT security practitioners don’t utilize 2FA in the workplace (Dataprot)
How do cybercriminals steal passwords?
Hackers are more motivated than ever and will do whatever it takes to get their hands on your money. Verizon’s 2021 Data Breach Investigations Report shows that SMBs with less than 1,000 employees recorded 1,037 incidents and 93% of such breaches were financially motivated.
So, what techniques do cybercriminals use to compromise users’ passwords?
Social engineering
This involves threat actors preying on vulnerable employees and psychologically manipulating them into sharing confidential data. One of the most popular social engineering methods used by hackers is phishing.
Brute force attacks
From a hacker’s perspective, brute force attacks are easy to launch and don’t require a lot of effort. Criminals typically use trial and error tactics to decipher passwords or PINs through automated tools that test a large number of password combinations. These tools can crack weak passwords in a matter of minutes.
Dictionary attacks
Dictionary attacks – a type of brute force tactic – involve inputting commonly used words or phrases as a password, but they aren’t strictly limited to a wordlist. Instead, they can also include names of people you know or a sports team you support. These are based on information easily found online through online profiles
However, this method isn’t as successful against passwords containing numbers, symbols, and a mixture of lowercase and uppercase letters.
Credential stuffing attacks
Bad actors typically purchase lists of leaked usernames and passwords and feed these into a botnet, which attempts several logins across multiple websites in one attempt.
With more than 15 billion login credentials from 100,000 breaches circulating on the dark web, it’s not surprising that credential stuffing attacks have grown in popularity among cybercriminals. Research from Help Net Security detected some 193 billion credential stuffing attacks worldwide in 2020, with the financial services industry, in particular, suffering the most and reporting around 3.4 billion incidents – an increase of 45% YoY in the sector.
Image Credit: freepik.com
How to enforce strong password hygiene
To protect your accounts and organization against cyberattacks, you and your employees need to practice good password hygiene. Consider adopting these tips below:
1. Encourage employees not to reuse passwords
In 2019, Microsoft’s threat research team analyzed a database that contained 3 billion breached login credentials and identified 44 million Microsoft users who had reused the same passwords.
Therefore, it’s essential employees don’t reuse the same password across multiple accounts – no matter how complex it is – because if one account is compromised, the rest are at risk too.
2. Create a unique password for every account
A crucial part of password hygiene is making sure you and your employees create a unique passcode for every account. Don’t use words or phrases found in the dictionary or online, and avoid any sequences such as 123 or 2468.
Consider creating memorable passphrases that contain a minimum of 12 characters and a mixed combination of lowercase and uppercase letters, symbols, and numbers.
For instance, let’s hypothetically say you’re a Liverpool supporter and you watched your side thump Manchester United 5-0 at Old Trafford back in October 2021.
Something like ‘Liverpool FC beat Manchester United at Old Trafford in October 2021’ could translate to lFc_Bmu@oTi1021.
Not only is this passphrase complex and more memorable, but it’s also extremely difficult for bad actors to crack, which can significantly reduce the risk of a breach.
However, depending on the number of accounts you possess, manually updating every single password may not always be feasible, so it’s worth using a password generator tool to protect your data.
3. Get into the habit of reviewing and updating passwords
Most security experts recommend changing your password every few months, particularly if your accounts have been compromised without you realizing it.
To achieve this, you need to develop a strong security culture. Make sure you provide regular security awareness training and educate your employees about password security. In doing so, they’ll know what’s expected of them, and you’ll significantly reduce the likelihood of someone creating a weak password and exposing your business to bad actors.
4. Deploy multi-factor authentication (MFA)
Whatever industry you’re in, multi-factor authentication is arguably one of the most important security tools out there, and it can better protect your passwords from cybercriminals.
MFA strengthens the login process by requesting users to provide three pieces of information. For instance, you may be asked to provide a password, an SMS code, and a photo of yourself to verify your identity.
Considering that most people reuse the same passwords, not only will MFA stop cybercriminals from accessing their accounts, but it’ll significantly reduce the likelihood of a security breach.
5. Use a password manager
Let’s face it: our memory isn’t perfect. That’s why most of us use memorable phrases or words as our passwords and make a note of them. Sadly, neither of these are good practice and can do more harm than good.
With employees already spending around 12.6 minutes per week inputting or resetting passwords, according to Ponemon Institute, simplifying password management is more important than ever for security and productivity, especially in the era of remote/hybrid work.
Here are a few reasons why you should adopt a password manager to strengthen your password hygiene:
- Password managers allow users to securely generate, manage and store complex passwords.
- Login credentials are stored in an encrypted vault and adhere to the strongest encryption standards (AES 256-bit), meaning hackers won’t be able to get through your defenses with brute-force techniques.
- Some vendors provide dark web monitoring features that highlight whether your login details have been breached.
Final thoughts
Simply relying on employees to create unique and complex passwords isn’t enough in today’s cybersecurity world. Instead, IT leaders must educate and encourage the workforce to practice good password hygiene. By adopting the above five actions as part of your security strategy, you’ll strengthen your defenses and ultimately prevent cybercriminals from gaining unauthorized access to your accounts.
