One of the most common causes of a security breach is weak passwords, with people often reusing them for multiple or all accounts. A survey conducted by Specops Software uncovered that 51.61% of respondents share their streaming site passwords, with 21.43% unsure whether those passwords then get shared with other people.
Peoples' attitude to password security is alarmingly lax, which can have costly repercussions for businesses. $1 trillion was lost to cybercrime in 2020, according to McAfee. An estimated five billion unique user credentials (e.g. username and password combinations) are available on the darknet to cybercriminals that can grant access to corporate networks or bank accounts.
How do hackers steal passwords?
- Credential stuffing describes when hackers test databases or lists of stolen credentials (i.e. passwords and user names) against multiple accounts to see if there's a match.
- Phishing is a social engineering trick which attempts to trick users into supplying their credentials to what they believe is a genuine request from a legitimate site or vendor.
- Password spraying is a technique that uses a list of commonly used passwords against a user account name, such as 123456, password123, 1qaz2wsx, letmein, batman and others.
- Keylogging is often a technique used in targeted attacks. Keyloggers record the strokes you type on the keyboard and can be a particularly effective means of obtaining credentials for bank accounts, crypto wallets and other logins with secure forms.
- Brute force uses trial-and-error to guess login info, encryption keys or find a hidden web page. Hackers work through all possible combinations hoping to guess correctly.
- Local discovery occurs when you write down or use your password somewhere where it can be seen in plain text.
- Extortion involves no subterfuge. Somebody demands you hand over your credentials, or they threaten you.
So what should we be doing to reduce this risk and ensure we keep our passwords safe?
9 tips to boost workplace password security
1. Choose a strong and unique password
Aim for a minimum of 8 characters with numbers, letters and punctuation.
2. Avoid obvious passwords
Don't use easily guessed passwords like 1234, 4321, qwerty, password and password123. Avoid using words that can be found on social media accounts - for example, family names, pets, place of birth, school, favourite holiday, or something related to your sports team or hobby.
Do not use:
- Names or business names.
- Family members’ or pets’ names.
- Your own or family birthdays.
- Favourite sports team or other words easily guessed by acquaintances
- The word ‘password’ or numerical sequences. A survey of data breaches showed "123456" was used as a password 23 million times!.
- Single common dictionary words, such as ‘kitchens’ that programs can easily hack.
- Recycled passwords (e.g. Jon2, Jon3 etc.).
3. Keep passwords safe
Avoid writing them down, sharing them with others or using the same password across multiple sites. If you must write them down, make sure you use a code that is meaningless to others.
4. Change your password regularly
Especially if you think someone else knows it.
The UK government's cybersecurity campaign encourages the use of three random words (e.g. dogmoonpurple) broken up with numbers and characters to substitute for letters (e.g. D0gm00npu4p!e).
6. Use a random password generator
Or create a string of completely meaningless letters and symbols. One way of doing this is to take a random sentence or line from a song/poem, use the first letter of each word, and then add punctuation and numbers to mix it up.
7. Use password management software
Software like Dashlane, 1Password, KeePass, or Lastpass allows you to store all of your passwords behind one master password.
8. For added security, use 2-step factor authentication
If someone logs in from an unrecognised device, you're sent a code (by text or email), which you have to enter to verify it's really you.
9. Regularly check your email addresses
Use one of the many websites that check to see if your password has been compromised, such as Have I Been Pwned. If someone can access your email, it often means that they can easily reset other passwords.
Want to learn more about Information Security?
If you'd like to stay up to date with information security best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news, subscribe to Skillcast Compliance Bulletin.
To help you navigate the compliance landscape, we have collated searchable glossaries of key terms and definitions across complex topics, including GDPR, Equality, Financial Crime and SMCR. We also regularly report key learnings from recent GDPR fines.
You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.
And if you're looking for a compliance training solution, why not visit our Compliance Essentials Course Library.
Last but not least, we have 70+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations and even e-learning modules!
If you've any questions or concerns about compliance or e-learning, please get in touch.
We are happy to help!