How many is too many passwords?
That is 191 passwords for 191 accounts.
So, we can all be forgiven for using the same username and password for multiple accounts, right? Well… unfortunately not anymore.
Insecure password practices are exploited in 81% of cyber-attacks worldwide, and 61% of all attacks target businesses with less than 1,000 employees.[i]
Whilst password hacking has always been one of the favourite techniques of cyber-criminals, today there are more opportunities for hackers than ever before. This is due partly to the growth in cloud-based applications and, more recently, the growth in remote working. And it is due to the increased sophistication of hackers.
Password pain for business owners
The 2018 State of Cybersecurity in Small & Medium Size Businesses[ii] report, showed that employee password management was a major concern to business owners, with 68 percent of respondents saying they had to deal with passwords being stolen as the biggest ‘pain point’. This was followed closely by 67% concerned with employees using weak passwords.
Figure 1: 2018 State of Cybersecurity in Small & Medium Size Businesses, Keeper Security, Inc.
Why would anyone want to steal my password?
Many employees may wonder why anyone would want to steal their password – especially a personal password for a seemingly ‘pointless’ program or app. Hackers know that 65% of people use the same password for multiple or all their accounts – bring both personal and work accounts.[iii]
Therefore, when a hacker gains your password for one of your personal online applications, there is a good chance they will be able to use this to access your corporate profile and infiltrate your company.
Alternatively, you may just be one of millions of indiscriminate victims. Cyber-criminals will often attempt to hack a database which may store thousands, or millions, of usernames and passwords and then either extort the company which they have hacked, or take the credentials stolen and sell them on the black market. [iv]
So how does someone steal a password?
Whilst there are many ways criminals may steal passwords, the following three techniques are of the greatest risks to Australian Businesses:
1. Social engineered phishing attacks
‘Phishing’ is a technique used by cyber-criminals to trick a victim into handing over passwords and credentials. This will usually be done via sending an authentic looking email and asking users to either ‘log in’ or ‘reactive their account.’ The victim will then click on a link taking them to a realistic looking website where they will be prompted to provide personal details. Examples may include asking users to reactive Netflix accounts, phone accounts or electricity bills. As hackers know majority of people use the same passwords for most accounts, they are then able to steal the users credentials and attempt to hack their business profile.
2. Spray attacks
Spray attacks are a ‘scattergun approach’ by hackers. Criminals will use a range of common and weak passwords against a range of usernames, in attempts to gain a match. Once this match is acquired, the hacker can either breach the program they are trying to hack, or record the username + password combo to hack a more valuable asset – such as a business. The hacker can also record the combo to sell onto other hackers or, extort the user.
3. Brute force
Brute force is the opposite of a spray attack and usually more common against larger companies. In a brute force attack, hackers will target one, or a select few, accounts and attempt to guess passwords to gain access to a business. Pending the perceived size of the reward, hackers may spend large amounts of time attempting to breach one company network. Research has shown, longer and more complex passwords are exponentially harder to crack.[v] Is It is therefore imperative that business owners apply long passphrases to avoid a brute force attack.
Figure 2 Source: https://www.sentinelone.com/blog/7-signs-weak-password/
The trinity of password ‘mistakes’ you can fix today
1. Recycled Passwords
As stated above, majority of people use the same password (or a selection of a few passwords) for all their log in accounts. So, whilst a hacker may not be interested in your online gaming account, they will be interested in your bank account, business log in and any account that you access which has other people’s details. Therefore, all users should practice unique passwords for every single online account they hold.
2. Weak Passwords
As we are required to remember so many passwords, using simple (or weak) passwords is very tempting. However, hackers can implement spray attacks or even attacks with botnets to try guess common passwords. The below list covers the most common 25 passwords used worldwide. So if your password appears on the below, best change it ASAP!
Passphrases are a much stronger solution for passwords. Passphrases combine letters, numbers and symbols into passwords to make it much harder for hackers to guess and solve. For example, instead of using Applesareyum as a password, this can be changed to @[email protected]^^ , making the password more secure.
3. Stored Passwords
To help users quickly access passwords, most browsers offer a tool to save your passwords:
Whilst this tool provides an easy access to all your passwords for you, it also provides an easy access for hackers. It is much better practice to ensure you select to ‘never’ save passwords in your browser. This is also true for credit cards and other credentials. There is also risk here if your computer or device is stolen.
Don’t panic – managing your passwords is easy!
With all this in mind, you may be wondering, ‘how on earth can I keep track of my 191 unique passphrases!?’ This is where a Password Management System can help.
Password Management Systems are designed to enable employees to implement strong unique passphrases for all log ins. For businesses, systems can be utilised for shared passwords and to find passwords from previous/retired employees.
BMK IT can support business owners to establish a strong efficient password management system to increase their cybersecurity protection.
Because who can remember 191 passwords?
10 ways to ensure your business is protected from the Log4j vulnerability In December 2021, a vulnerability was discovered in