You don’t need anyone to tell you how tumultuous the cybersecurity landscape is right now. There are cyberattacks and hacks happening every hour and small businesses and major corporations are essentially walking around with massive targets on their backs.
But for all the discussion about malware, phishing, ransomware, and other common threats, it seems like most IT departments around the country are failing to account for one of the more prevalent issues: password-based attacks.
The Need for Better Password Integrity
A password is the last line of defense between hackers and whatever private information is being protected behind the secured account. It’s akin to a lock on the front door of a house. While there are technically other ways to get inside, the easiest and most common method is through a door – unless the door is secured by a strong deadbolt.
There’s a huge difference between a house that uses a simple single-latch lock and a deadbolt lock. A single-latch lock – the kind that you twist on the interior side of the handle – is super easy to manipulate from the outside. In order to break in, all you have to do is bust the handle or apply a lot of force to the door with your shoulder. A deadbolt, on the other hand, is nearly impossible to penetrate without having the matching key.
In the business world, an unsecured password is like a single-latch lock. Sure, it keeps the door from blowing open on a blustery day, but it isn’t going to protect you from someone who wants to get inside. A strong password is like a deadbolt lock. It can still be compromised, but it takes a lot more work.
Before businesses can work on ways to prioritize password integrity, they must understand the common ways in which passwords are exposed. Surprisingly, the most prevalent method is through simple guessing. A lot of people use predictable passwords – the most common being “password” and “123456” – which makes it extremely easy for anyone to access the account. Other hackers use a brute-force method in which they systematically check all possible combinations of characters until they isolate the correct string.
The other method – data breaches – doesn’t have a whole lot to do with password integrity, but rather larger-scale cybersecurity. Nevertheless, when a company’s database is breached, it’s often possible for hackers to compile a list of passwords for future use.
Action Steps Businesses Should Take
For businesses – and particularly IT departments – the best way to prevent hacks is by strengthening password integrity across the board. Here are a few specific tips and suggestions:
1. Educate Employees on Password Strength
According to a recent study by CyLab, Carnegie Mellon’s Security and Privacy Institute, people’s perception of password strength isn’t always realistic. People often assume they’re creating strong passwords, when they’re really developing generic and predicable strings of characters.
“Although participants generally had a good understanding on what makes passwords stronger or weaker, they also had some critical misunderstandings of how passwords are attacked and assumed incorrectly that their passwords need to withstand only a small number of guesses,” says Blase Ur, the study's lead author.
Participants tended to make assumptions about the use of numbers and symbols and, as a result of trying to make their passwords more difficult to compromise, many actually made them more predictable.
In order for businesses to take a step forward, employees need to be educated in regards to what makes a strong password. “As companies are designing tools that help people make passwords, they should not only be giving users real-time feedback on the strength of their passwords, but also be providing data-driven feedback on how to make them stronger,” says Ur.
2. Passwords Should be Changed Frequently
One of the biggest issues companies have with passwords is that employees often forget them and have to go through a complicated process of recovering or resetting the password. This generally leads people to set the same password across multiple accounts and maintain the same password for many years. But this is a big mistake.
Passwords should be changed on a frequent basis – at least once every three months – to make it more difficult for hackers to compromise accounts. Employees generally won’t follow this on their own, so you may have to create a system that prompts them to do so.
3. Encourage Password “Phrases”
The reason most passwords are predictable is that they use common dictionary words. Password cracking tools have these common words loaded into them and can easily compromise word strings like “iloveyou” or “baseballfan1.” One way to outsmart hackers is by ditching common words altogether and using phrase-based passwords.
A phrase-based password is essentially an acronym for a larger sentence. So, your password phrase might be, “This password will never ever get hacked.” Then you take the first two letters of each word, and that’s your password. So, in this case, the password would be “thpawineevgeha.” You can even write your password phrase down on a sticky note somewhere in your office. If someone were to ever find it, they wouldn’t necessarily think it was a password.
Building a Strong Foundation
Password integrity is essentially the foundation to any modern IT security strategy. While there are plenty of other ways in which cyber criminals target businesses, the preferred method is to access a password and infect from the inside out.
If you cut off this easy access, suddenly your business is more secure than most other organizations. This removes the target from your back and greatly diminishes the chance of an attack.