Ultimate guide to password security
Even in the age of biometrics, passwords are still the most common way of proving your identity when using websites, email accounts, and computers. So the use of strong passwords is an essential part of protecting the security and identity of your business and its employees. Passwords are the weak point in systems and websites that cybercriminals actively target.
Cybercrime involves criminals seeking to exploit human or security vulnerabilities in order to steal passwords, data or money directly. The most common cyber threats include:
- Hacking – including social media and email passwords
- Phishing – bogus emails asking for security information and personal details
- Malicious software – including ransomware through which criminals hijack files and hold them to ransom
- Distributed denial of service (DDOS) attacks against websites – often accompanied by extortion
- Password spraying or brute force attack: a small number of common passwords are used to ‘brute force’ large numbers of accounts, trying every combination of symbols, numbers, and letters
- Dictionary attack: an attack using a prearranged list of words like you would find in a dictionary
Password security is a key (if you’ll excuse the pun) factor in protecting your business against cybercrime. Information created, used, stored or transmitted by your business is valuable. This is why the passwords which protect this confidential information should be well thought out, secure and never shared with others.
In this article, we’ll help you understand:
- the risks of cybercrime to your business
- common password weaknesses
- how you can protect your network and computers from outside threats with strong password policies and other protective measures
Cybercrime is on the rise… and it’s getting smarter
Cybercrime continues to rise in scale and complexity, affecting essential services, businesses and private individuals. Cybercrime costs businesses in the UK billions of pounds and causes untold – sometimes irreversible – damage.
“Cybercrime has a considerable impact on citizens and
the Government, the main loser – at a total
estimated cost of £21bn – is UK business, which
suffers from high levels of intellectual property
theft and espionage” – The Cost of Cyber Crime Report, 2018 (PDF, 1.5Mb)
And, according to Carbon Black, Covid-19 has created the perfect storm for increasingly sophisticated cyberattacks due to the move to remote working and the high levels of disruption the pandemic has already caused.
Cybercriminals are continually improving their tools and techniques, working hard to overcome all the defences we put up.
Risks to your business
An attack on your systems through a weak password could paralyse your network. It could even force you to close off parts of your business to make sure cybercriminals can no longer access your data.
In the time it takes you to investigate the cause of a breach and to get your systems back online, you will be unable to perform certain operations. So you are likely to experience a loss of productivity.
Any data breach through weak passwords might result in long-term reputational damage. It can be challenging for organisations to retain customers’ trust – and that’s particularly true for small organisations – so you may experience significant customer churn.
Businesses that are reluctant to invest in cybersecurity practices are not only more likely to fall victim but will experience exponentially higher costs as a result – and in many cases, the damage will be insurmountable.
You cannot cut corners when it comes to cyber threats. However tight your budget, your business needs to find a way to address cybersecurity.
If a password breach incident is severe enough, you will need to contact affected customers, as well as your data protection supervisory authority. In the UK, this is the ICO (Information Commissioner’s Office).
And even notifying customers of the security breach is an expensive and time-consuming endeavour.
What your employees can do to improve password security
Mix lowercase, uppercase, numbers, and symbols
The more you mix up uppercase and lowercase letters, numbers, and symbols, the more potent your password is, and the harder it is for a brute force attack to crack it.
Keep passwords long
Long passwords help protect from brute force attacks. Fifteen characters is the absolute minimum password length we would recommend, assuming there is a truly random mix of lowercase, uppercase, numbers, and symbols. But we recommend a password length of over 20. This will lower the odds of their password ever being cracked by the smartest of software.
Avoid ‘keyboard patterns’
Passwords should not contain keyboard patterns like “qwerty” because they are vulnerable to cracking attacks and shoulder surfing (observing users as they enter their password).
Mix up passwords and don’t reuse them
Using the same password for accounts is the digital equivalent of leaving a spare key under the front doormat. A recent study found that over 80% of data breaches were a result of weak or stolen passwords. People should also avoid using the same passwords at home and work.
Also, your employees should avoid using similar passwords across different systems and websites. People often change only a single word or character from a common password they use everywhere. This practice weakens account security across multiple sites.
Avoid common, guessable passwords
Password spraying attacks are successful because, for any given large set of users, there will be some who are using very common passwords. These attacks can slip under the radar of protective monitoring which only looks at each account in isolation.
Passwords like ‘password’ or ‘letmein’ frequently appear in the “most common passwords” lists worldwide. If strong passwords aren’t enforced within your business, people have the option of resorting to the easiest and fastest solution when it comes to passwords.
A study by the National Cyber Security Centre shows some concerning trends:
- 75% of the participants’ organisations had accounts with passwords that featured in the top 1,000 passwords
- 87% had accounts with passwords that featured in the top 10,000
Avoid personally identifiable information in passwords
If someone is specifically targeted for a password hack, the hacker will put everything they know about that person into their guess attempts. Names, birthdays, and street addresses may be easy to remember, but they’re also easily found online. Personally identifiable information should always be avoided in passwords to ensure the greatest possible strength.
Create new passwords regularly
We recommend that people change their passwords every six months. For people that memorise their passwords, this could create a bit of work for them as they need to learn many different passwords. But for people using a password management system like LastPass, it will do all the hard work.
The change should be more than just a single word, character or digit for this to be most effective.
Never share passwords
It’s sometimes tempting for people to share passwords via email or texts, but this is a considerable risk. Instead, good password management tools can give employees the ability to share a hidden password and even revoke access when the time comes.
What you can do in your business
All businesses should invest in preventative cybersecurity solutions. Implementing these systems and adopting good cybersecurity habits will protect your network and computers from outside threats.
Create a strong password policy for network accounts
Require both your employees and users (if applicable) to create strong passwords. This can be done by implementing a character minimum as well as requiring a mix of upper and lowercase letters, numbers, and symbols. More complicated passwords are harder to guess by both individuals and bots. Also, require that passwords be changed regularly.
Perform regular password audits
You should regularly audit user passwords against common password lists to ensure standards don’t slip over time. People will always be tempted to go back to favourite passwords or fall back into the habit of using easy-to-remember password structures that may also be easy to guess.
Invest in a company-wide password management solution
A secure, cloud-based, company-wide password management tool like 1Password, LastPass, NordPass, or Dashlane can help your business secure every password-protected entry point. They will help you automate and scale password management for your entire business with directory integrations, custom security policies, and more.
These password management tools create secure passwords at the sign-up/registration point and then remember them all. They can be added to browsers and as phone apps. They also make password sharing easy and safe.
You will need to ensure that employees set their master passwords carefully. Alternatively, you can generate the master passwords for employees from a central point and then distribute securely. Otherwise, there is an easy to way for an attacker to gain access to a company-wide database full of passwords to multiple online systems and websites.
A secure and easy-to-use password management tool for your business is an even more essential tool with more of us working from home, outside the office intranet/network.
Enforce 2FA (Two Factor Authentication) wherever possible
Two-factor authentication (2FA) is a login process that requires a username and access to another account or device, such as an email address, phone number, or security software. 2FA requires users to confirm their identity through both and, because of that, is far more secure than single-factor authentication.
Enable Single Sign-On (SSO) wherever possible
Single Sign-On (SSO) is a centralised authentication service through which one login is used to access an entire platform of accounts and software. If you’ve ever used a Google account to sign up or into an account, you have used SSO. Enterprises and corporations use SSO to allow employees access to internal applications that contain proprietary data, but they should be used to access as many systems and websites as possible within your business.
Choose software carefully and keep it up-to-date
Ensure people only install official software from reputable providers that have registered as developers for the device or operating system. For example, software that is available on Apple’s App Store has been released by identified developers and is typically very secure.
And keeping software up-to-date is crucial. Software vendors regularly release updates that address and fix vulnerabilities. You can keep the software in your business secure by ensuring it is updated on a consistent basis. We recommend your software is configured to update automatically, so no security updates are missed.
Make it easy for people to escalate issues
If your employee comes across a phishing email or compromised website, you need to know immediately. You can set up a system for receiving these issues from employees by dedicating an inbox to these notifications or by creating a form that people can fill out.
You can provide your own advice to your employees on how to choose ‘good’ passwords or refer them to external experts. We recommend outsourcing this training to a trusted external party to provide a cybersecurity awareness course or some specific training on password security.
It’s important to send out regular reminders about how everyone must play their part in password security to protect your business and themselves personally.
Find a trusted expert partner
An IT services company can provide complete management and monitoring of all your workstations, servers, and mobile devices for one manageable monthly payment. This includes proactive services to ensure your systems and devices are up-to-date and patched with security enhancements that will help protect your business, for example:
- Network and device security
- Antivirus protection
- Safe website browsing policies
- Proactive 24/7 monitoring, reporting and alerting
- Backups and backup monitoring
- Patch management
- 24-hour support
Our Managed IT Support service provides all of the above and more. Please feel free to contact us if you are thinking about offloading the risk and work required to fully protect your business from cybercriminals.
Need data security advice or expert protection for your business?
If you have any questions about password security or the risks of cybercrime, please get in touch with us.