Even social media giant Facebook has been ordered to step up data protection as 29 million of its user’s passwords were exposed in 2018. Creating a strong and secure password is a critical step in protecting confidential data and networks. Your infrastructure can come under attack from cyber criminals at any time and passwords can provide the key to that kingdom for hackers.
Key findings of a study revealed the top 25 most commonly used passwords in 2017 from ten million records (Wikipedia):
- ‘123456’ was the number one favoured password
- In 2016 a staggering 1 in 5 passwords wasidentified as ‘123456’
- In 2017, the word ‘password’ was listed as the eighth most popular password used
Hackers may deploy multiple tactics to steal your passwords, here are three of the most prolific attack types:
- Social engineering - Through social engineering, tricked users enter their password and login credentials to a malicious website or software.
- Brute force - In brute force attacks, cybercriminals use tools to automatically enter the most common passwords, with the hope that one of them works.
- Breached data - When an organisation’s security is breached the connected passwords are often released publically, and users can become a new target of cybercrime.
So, how can you keep your passwords, and more importantly, your firm’s data, safe from cybercriminals?
Follow our 12-step best practice guidelines for creating a secure password process within your organisation and update your password policy(s) to reflect the latest password protection techniques:
How to create secure passwords?
1. Avoid common password types
- First and foremost do not take the easy route and allow the use of common passwords
Top five most commonly used passwords of 2017 (See the full password avoid list):
Your company will be easy prey for hackers who sweep the internet using inception tools and can work out simple passwords in seconds
2. Do not make your passwords predictable
In 2013, the Defense Department's Research Agency (DARPA) released a study which revealed password patterns at a Fortune 100 company. The research showed that half of the passwords created used five common patterns. The three most common password structure patterns found were:
- One uppercase, five lowercase and three numbers (e.g. Digits123)
- One uppercase, six lowercase and two numbers (e.g. Digitus12)
- One uppercase, three lowercase and five numbers (e.g. Digs12345)
3. Create long passwords
On average it takes a hacker one week to crack a ten character password. Moreover, 15 character passwords will take 1.49 million centuries to solve. So, encourage users to create long passwords over shorter complex passwords.
- Strong passwords are between eight to 15 characters long
- Make your password difficult for others to understand
- Incorporate a combination of upper and lower case characters in your passwords
- Add numbers and symbols (# ! £) to your passwords
4. No dictionary words in your passwords
- Do not allow words from the dictionary in your passwords
Also, avoid phrases as passwords
- For example, the phrase ‘iloveyou’ is often used as a password which makes it not secure as it is too common
- Do not include names, places, slang or email addresses in your passwords
- The top five frequently used dictionary words used as passwords are:
5. Apply the passphrase method for creating passwords
Encourage users to think of a sentence such as:
Mary popped to the shops for butter and milk
Next, ask them to add the following modifications to translate the passphrase into a unique password:
- Capitalisation ABCD
- Numbers 1234
- Punctuation ?!
- Special characters £$%+
TOP TIP: Passphrase passwords are usually easier to remember than totally random passwords
BONUS TIP: Encourage users to create their own symbol replacement and capitalisation rules for all their passwords
6. Generate passwords
- One way to avoid weak passwords is to generate random passwords through a password tool
- However, they are usually not easy to remember, so store them in a password database. See step nine below
- Remember password managers can also be breached, exposing your passwords. Therefore, it is a good idea to remember a unique word (e.g. eight characters to add to the end of all generated passwords)
- Even if your password generator program becomes compromised, the attacker will only have access to part of your password
TOP TIP: Determine if adopting step five or six is best for your organisation. Alternatively, is it a case of determining the best use case by department? Whatever your decision, ensure that the employee knows which step to follow and has the tools to do so.
7. Never use the same password twice
- Using a single password across multiple systems makes it easier for hackers to seize control of numerous accounts
- Always create a different password
- See step nine for how to keep your passwords safe and easily stored
8. Deploy 2-factor authentication
- Stop a hacker from compromising your network by implementing 2-factor authentication, even if they have stolen your passwords
- 2-factor authentication adds a second layer of security beyond a password to your system
- Through 2-factor authentication technology, users require a code from a connected device before login is complete
- Read this related blog on 2-factor authentication to find out more
9. Adopt a password management system
- A password management tool can save passwords in one place
- Never add your passwords to a text file
- Password security databases are also available for mobile devices too
- Choose a supplier that offers encryption and authentication of data
- Consider a supplier that defends against ‘keylogging’ which occurs when a hacker connects to your machine and logs every keystroke and compromises that information. See blog on how to analyse a phishing emailto find out more
- Example password tools include: 1Password, KeePass or LastPass
- Ensure that all related employees have access to the password system
10. Do not disclose your passwords
- Never reveal your passwords to anyone
- Do not write down your passwords or passphrases
- Lock your computer and devices when you are away from them
- Keep your work and personal profiles separated from each other
- Change your passwords every 90-days
11. Do not save your passwords
- Stop employees from saving password on their devices
- It may seem convenient to log in without entering credentials automatically, but what happens if an employee leaves their device somewhere, or someone gains access to your office with the intention of committing a cybercrime?
- By saving passwords within a few clicks; your company data could be compromised
12. Security awareness training for employees
- Ensure your teams are trained on best practices when choosing passwords
- Adopt stringent password procedures across the company
- Invest in regular comprehensive security awareness training
Final thought on keeping your passwords safe and secure
If every member of your organisation follows the above best practice guidelines for creating passwords, and the company adopts a rigorous approach to policing the password policy(s), then your company will undoubtedly be forming a strong layer of defence against an ever-growing threat.
The latest strategies deployed by cybercriminals to breach an organisation are continually advancing in sophistication. Therefore, it is imperative that we the targeted match the level of effort and sophistication that the hackers provoke.