One of the most common causes of a security breach is weak passwords, with people often reusing them for multiple or all accounts. A survey conducted by Specops Software uncovered that 51.61% of respondents share their streaming site passwords, with 21.43% unsure whether those passwords get shared with other people.
People's attitude to password security is alarmingly lax, which can have costly repercussions for businesses. $1 trillion was lost to cybercrime in 2020, according to McAfee. An estimated five billion unique user credentials (e.g. username and password combinations) are available on the darknet to cybercriminals that can grant access to corporate networks or bank accounts.
How hackers steal passwords
a. Credential stuffing
describes when hackers test databases or lists of stolen credentials (i.e. passwords and user names) against multiple accounts to see if there's a match.
is a social engineering trick which attempts to trick users into supplying their credentials to what they believe is a genuine request from a legitimate site or vendor.
c. Password spraying
is a technique that uses a list of commonly used passwords against a user account name, such as 123456, password123, 1qaz2wsx, letmein, batman and others.
is often a technique used in targeted attacks. Keyloggers record the strokes you type on the keyboard and can be a particularly effective means of obtaining credentials for bank accounts, crypto wallets and other logins with secure forms.
e. Brute force
uses trial-and-error to guess login info, encryption keys or find a hidden web page. Hackers work through all possible combinations hoping to guess correctly.
f. Local discovery
occurs when you write down or use your password somewhere where it can be seen in plain text.
involves no subterfuge. Somebody demands you hand over your credentials, or they threaten you.
Ways to improve workplace password security
So what should your colleagues do to reduce this risk and ensure they keep their passwords safe?
1. Choose a strong and unique password
Aim for a minimum of 8 characters with numbers, letters and punctuation.
2. Avoid obvious passwords
Don't use easily guessed passwords like 1234, 4321, qwerty, password and password123. Avoid using words that can be found on social media accounts - for example, family names, pets, place of birth, school, favourite holiday, or something related to your sports team or hobby.
Do not use:
- Names or business names.
- Family members’ or pets’ names.
- Your own or family's birthdays.
- Favourite sports team or other words easily guessed by acquaintances
- The word ‘password’ or numerical sequences. A survey of data breaches showed "123456" was used as a password 23 million times!
- Single common dictionary words, such as ‘kitchens’, that programs can easily hack.
- Recycled passwords (e.g. Jon2, Jon3 etc.).
3. Keep passwords safe
Avoid writing them down, sharing them with others or using the same password across multiple sites. If you must write them down, make sure you use a code that is meaningless to others.
4. Change your password regularly
Especially if you think someone else knows it.
The UK government's cybersecurity campaign encourages the use of three random words (e.g. dogmoonpurple) broken up with numbers and characters to substitute for letters (e.g. D0gm00npu4p!e).
6. Use a random password generator
Or create a string of completely meaningless letters and symbols. One way of doing this is to take a random sentence or line from a song/poem, use the first letter of each word, and then add punctuation and numbers to mix it up.
7. Use password management software
Software like Dashlane, 1Password, KeePass, or Lastpass allows you to store all of your passwords behind one master password.
8. For added security, use 2-step factor authentication
If someone logs in from an unrecognised device, you're sent a code (by text or email), which you have to enter to verify it's really you.
9. Regularly check your email addresses
Use one of the many websites that check to see if your password has been compromised, such as Have I Been Pwned. If someone can access your email, it often means that they can easily reset other passwords.
Want to learn more about GDPR?
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.