If you learned about a potential hazard in your office — let’s say a slippery floor — that threatened the well-being of your employees, you would act to address the issue immediately right?
You put out a “CAUTION WET FLOOR” sign, and save the day… no one gets hurt… Yay!
However, there are just as many invisible threats that often go unexamined until it’s too late. Today we will discuss one such threat that costs companies worldwide billions of dollars per year:
Poor password security.
Compromised passwords account for more than 80% of corporate security breaches (2018 Verizon Data Breach Investigations Report). And these breaches cost US companies, on average, $7 million each (Ponemon Institute Cost of a Data Breach Study 2018). That doesn’t even include less measurable impacts such as loss of customer trust and brand value. For instance, Yahoo is said to have lost $1 billion in valuation (during its sale to Verizon) when it announced the details of a 2014 data breach affecting 500 million users.
There are 4 common password security mistakes that lie at the root of most security breaches. In this article, we will examine each one and provide solutions to ensure that you don’t fall victim to an avoidable cyber-tragedy.
Mistake #1 — Choosing Weak Passwords
Here is a list of the top 15 most commonly used passwords in 2017 according to a survey conducted by SplashData:
Yup, those are the passwords protecting your critical assets…
You may be thinking, “there’s no way anyone would use those passwords on their company accounts”.
Think again. In 2017, for instance, it was discovered that Equifax was securing administrative access to one of its web portals with the username / password combination of admin / admin (#11 from the common passwords list above). And we all know how that ended.
Of course, that’s a blatant example where the password was easy to guess. However, even well-thought-through passwords can be easily cracked if they are, for instance, based on words commonly found in the dictionary. Hackers have sophisticated algorithms that can test millions of word and character combinations per second — allowing them to crack the majority of weak passwords in a matter of minutes or hours.
Check out these tips on how to create strong passwords for your accounts (see video below). Then implement these best practices throughout your organization. Be sure to thoroughly educate your employees about password strength.
Mistake #2 — Not Changing Passwords Often Enough
In 2012, LinkedIn experienced a security breach that leaked hashed passwords for millions of users out onto the dark web, where hackers got to work cracking many of them. LinkedIn responded by forcing a password-reset on the 6.5 million affected accounts.
In 2016, it was discovered that the breach actually affected far more users than initially thought — 117 million to be precise.
For 4 years, more than 100 million people were using compromised passwords, opening up their accounts to incredible risk. For those who frequently rotate their passwords, this wouldn’t have been an issue. However, the vast majority of people don’t.
Rotate your passwords every 30-90 days, and set up automated reminders for your employees. For highly privileged and shared accounts (domain root, system admin, localhost admin, etc.), rotate them even more frequently (ideally after every use, with the help of one-time passwords).
Mistake #3 — Using the Same Password On Multiple Sites
According to a survey conducted by SecureAuth, 81% of people reuse passwords for multiple accounts. That number rises to 92% for millennials.
To understand why this is so troubling, let’s revisit the 2012 LinkedIn incident.
One of the accounts compromised in that breach happened to belong to a Dropbox employee. He was using the same password for his personal LinkedIn account and his work accounts at Dropbox. Hackers used that stolen LinkedIn password to access a project document stored in his work account. This is what we now know as the infamous Dropbox breach, which involved more than 60 million user accounts!
Telling your employees not to use the same password for multiple services is a tough sell — who wants to remember multiple different complex passwords? It’s also a very difficult policy to enforce, since you have no control over employees’ personal apps. Thankfully, you can get both ease-of-use and enhanced security by implementing federated single sign-on (SSO) and Multi-factor authentication (MFA) for all of your company’s apps. That way, employees will have one secure login that grants seamless access to the resources they need.
Mistake #4 — Not Using Multi-Factor Authentication
So far, we’ve primarily discussed strategies to ensure that you are practicing proper password hygiene. But what happens if an attacker gets to your passwords through phishing or some other form of social engineering?
If you’re using passwords alone to protect your information systems, then one compromised set of credentials could spell disaster for your company.
This is exactly what happened during the aforementioned Yahoo breach that resulted in the company losing out on $1 billion during its sale to Verizon.
Enable multi-factor authentication (MFA) for all of your apps. MFA introduces an additional layer of security where users are presented with a second challenge when they attempt to login to an app. This second authentication factor can be based on something that they know (such as the answer to a security question), something they have (such as a phone, where they can receive a one-time passcode or push notification), or something they are (a biometric factor such as a fingerprint).
Imagine that an attacker has managed to steal one of your employee’s passwords, which grants admin access to critical network resources. However, he does NOT have the employee’s phone, which is required for completing the login process. You have just averted a major IT crisis!
If you address these 4 common password security mistakes, then you will be on track to reduce your IT risk and protect your company against some of the most prevalent cyber threats.
If you’d like some expert help tackling these tasks, check out our enterprise password management services. We are a managed security services provider (MSSP) that specializes in Identity and Access Management (IAM), and we have a great deal of experiencing helping organizations worldwide secure their information systems against cyber threats.