We all know that password security is important—especially in an office. But our user's personal account passwords aren’t always top-of-mind when we think of office network and data security. It ought to be, because every user survey I’ve ever seen scares the crap out of me. It should scare you too.
Security experts have been warning us for more than 20 years that the most common passwords people use online provide ZERO to NO barriers to intrusion by hackers. We collectively smirk and grin, and probably wonder at who these silly people are who think they’re securing their online accounts with such ridiculously simple passwords. “Stoopid people”, right?
Well, the joke’s on us for everyone who manages an office with users who access an office network at work or from home. Let me explain, but first, you have to look closely here at SplashData’s
January 2016 Annual List of the 25 Most Common Hacked Passwords…
Yes, it looks just like the same list of the most common passwords we saw three years ago, and three years before that. Why aren't people "getting it"?
Change from 2013
If one of these passwords are yours, you might be an idiot.
Or maybe you’re just like millions of of other lazy users who have a hard time remembering strong passwords ‘cause it’s a hassle. And you really believe your password is unique and hard to crack, right?
Well it might surprise you how easy passwords really are to crack.
Just how easily ARE passwords cracked?
We found a number of password calculators online designed to show people how weak their most passwords are. You simply type in a password script and they show you how secure it might be.
This first site “How Secure Is My Password” shows you how long it would normally take a hacker to crack your password. For example, almost any random string of 8 letters will take ABOUT 7 SECONDS OR LESS!
Try it out yourself with your favourite passwords https://howsecureismypassword.net/
(Better yet, share this post with friends and colleagues and suggest they try it out too).
If you are a more technical reader who wants more details, you might like GRC's Interactive Brute Force Password “Search Space” Calculator here: https://www.grc.com/haystack.htm
Here is what I found at “How Secure Is My Password” with what might look like a pretty safe mix of letters and numbers:
Forget using number sequences
Six characters mixed were uses too
Adding a special symbol didn't help much
Changing 1 letter to CAPS is better, but still bad
|Adding an 8th character helps a little more....||Then 9 mixed characters was a lot more effective|
However, to a hacker, 3 hours or 6 hours is nothing when using software hacking tools launched launched from one or more zombie computers. It's all automated for them.
For a secure password, you need a minimum of 9-characters with mixed CAPS, numbers and special symbols.
Okay, so most of you still reading are thinking “DUH! I knew this a long time ago”.
What I’d like to know is, of the more than 2 million people in North America who DID have a password hacked last year, how many work in your office?
This is a relevant question. Why?
If someone in your office is not using a strong password, they are at risk of getting hacked. But maybe you’re not worried because we’re talking about some other Jack’s personal online accounts, right?
Well here’s another scary fact: Hackers aren’t really interested in anyone’s Facebook account for fun. Their endgame is getting access to ALL their accounts: Bank accounts, email accounts, Paypal, credit cards and others.
Hackers know that most people tend to use the same single password, or variation, for all their online accounts. Once they discover a single account password, they load up other automated hacking software tools that will try their username and password combination on tens of thousands of different consumer and corporate websites.
Just as important, they’ll find out where they work because they want access to your company networks too. It’s an easy way to gain access so they can create zombie computers, install viruses and other malicious software, including Ransomware (the fastest growing area of cybercrime today).
So here's the point -- If we want to strengthen our networks against some common hacker intrusion methods, we need to start teaching our users safe password habits for work and at home.
Because for many corporate hackers, access begins at home.
The first line of defence against simple hacked intrusion for companies is to enforce a strict strong password policy on your own networks. Then force users to change those passwords on a regular basis. You need to make users create complex passwords with letters, numbers and symbols, and at least 9 characters long. If you’re not doing this today, make a note right now to discuss this at your earliest convenience.
Two factor authentication adds a second means of identification to give business systems another layer of security.
A unique password is the first factor, and the second factor is usually something else only the user has to confirm they’re identity. Common second factors are finger prints, or a PIN number. Techtarget.com has an excellent 2FA description here on their website.
It’s up to all of us to teach employees and other network users safe internet habits—for work AND their personal use, especially because they poor passwords put our own network security at risk. We’re obviously not doing a good job of that yet according to the evidence.
Safe password habits for everyone include:
DO NOT using weak, easy to guess or simple sequences for passwords on any online business or personal websites;
DO NOT writing their passwords down and leaving them in places where others can copy them;
DO NOT sharing any passwords with anyone, ever;
DO create passwords at least 9 characters long, and include caps, numbers and special symbols;
DO create a different password for every online site used;
DO change passwords regularly;
A Password Manager is a software application that helps a user store and organize passwords. They can be cloud based, self-hosted server based, or a personal desktop or smartphone app.
You should also know there are personal password managers for individual and private use; and there are other password managers with features designed more for corporate, project teams and enterprise use.
Since there are such a large variety of them with different strengths and weakness, it pays to start with a little research first.
Password Managers for Business Use
Here is an excellent comparison of password managers for corporate and enterprise users (published in 2015 but still a good resource)
From our own personal experience we could easily recommend these two excellent apps to try out for most companies:
Password Managers for Personal Use
For individuals, employees, private users and everyone else, Consumer Affairs has a great up-to-date review of the Top 10 Best Rated Password Managers. Most are inexpensive and some are free.