We create an account for almost anything we do online, and we’ve become very accustomed to entering our personal details, seemingly with less consideration than before. But with so many accounts all requesting increasingly complex passwords, it can be difficult to not only remember them but challenging to constantly think of new ones. So, naturally, we take the path of least resistance and don’t – despite knowing about the risk of credential theft.
Large enterprises can spend significant sums on sophisticated cybersecurity defence systems, including AI and machine learning but password security remains fundamental. Most regularly educate their employees about credential security, yet the publication of recent research across seven countries by LastPass appears to show that this is having little success.
89% of people know the risks of using the same password,
but only 12% use different login details for separate accounts.
LastPass *
According to Verizon’s 2022 Data Breach Investigations Report, stolen credentials led to nearly 50% of cyber-attacks. ^ What’s more, there’s been an almost 30% increase in these thefts since 2017, reinforcing it as one of the most successful methods to gain access to your business data. ^
How do criminals gain access to legitimate password credentials?
People make mistakes, and therefore, our employees will remain the weak point in our cybersecurity defences. But our acclimatisation to our digital world has seemingly created a level of disconnection when it comes to protecting our digital lives – creating a considerable cybersecurity risk in the workplace.
Duplicate passwords.
The extent that we share our online only assists the cyber-attackers. Our social accounts provide an information treasure trove, but they aren’t just a source of data, they build a picture of who we are as people; this often includes employer details.
51% of people use the same passwords for both work and personal accounts. +
Once hackers have one password, they also have others. For example, if your employee uses the same password for their hacked social account as your organisation’s sensitive CRM system, they may unwittingly be making life (and network access) far easier for the criminals.
Social engineering.
The easiest way to get someone’s legitimate login details is for them to tell you, social engineering remains one of the most common cyber-attack methods. We have become more aware of traditional phishing methods, which request our information on fraudulent sites, so criminals bypass the form filling and install keyloggers instead. If an employee accidentally follows a malicious link – their actions are then tracked by undetected spyware.
Brute Force.
Cracking someone’s password by guessing multiple combinations may seem a long-winded, outdated technique, but automated bots now used in brute force attacks check up to 1 billion passwords, every second.**
Despite our awareness of credential data security, we continue to use the top 25 most commonly used options; ‘password’, ‘qwerty’, and ‘123456’. In 2019, password security experts, Keeper, published some concerning findings having studied ten million breached passwords. The top 25 passwords represented over 50%; ‘123456’ accounted for almost 17% alone.
‘Remember me’.
We’ve all spotted that handy check box that saves us from constantly re-entering our login details on the same website. Whether this is secure will depend on the browser used and the site visited – you’re unlikely to do this for your bank, for example.
Less commonly known is the fact that some operating systems store both website and local account passwords, automatically. Microsoft’s Credential Manager first appeared on Windows 7, but many users are unaware of its existence. Whilst it can be handy if you’ve lost a password, the system has been linked to security concerns as it lacks built-in encryption. Login details are stored as clear text passwords, making them highly vulnerable to cracking.
Password security best practice.
Your password management policy isn’t as easy as informing your employees. According to Bitwarden’s, annual global password management survey 2022, Almost all Britons, 99%, state they are ‘very’ or ‘somewhat’ familiar with the password complexity requirements best practices. We already know we should use random upper- and lower-case letters over 12 characters with a special character or number. We know we should update them and have separate details for each account. Yet, we’re still not utilising that knowledge.
Despite this, continued education remains vital. As the cyber-criminals continue to discover new methods of credentials theft, refreshing employees of the dangers of phishing, password management or failure to reset your password is never a bad thing, accidental insider attacks remain the most prevalent.
Password Managers.
59% of us still rely on remembering our login information. ^^ This is highly likely to contribute to their repeated use, but with so many to keep track of, memory alone is not enough. 32% of us save passwords within browsers, 26% have a spreadsheet and over a quarter admit to writing them in a notepad or on a post-it. +
Practical, easy-to-use single sign-on password manager software is becoming popular but there are understandable questions when providing one login to all of your others. Can password managers be hacked? Can password managers be trusted?
Most cyber-security specialists agree that the secure encryption process used by password managers is the safest way to protect credentials; mitigating a reliance on memory and they’re far safer than that post-it note.
Given the increased attack surface provided by hybrid working and the Internet of Things, some password managers provide tools for the remote working environment, while others scan the dark web for your data. But most importantly, you should look out for strong encryption practices and a reliable back-up.
Update passwords regularly.
As if it isn’t hard enough to think of a different password initially, enterprise password management best practice advises that we change them every few months too.
Rather than a word or number, a random string of memorable words, a passphrase, might be easier to create, ant.spider.beetle, for example. Alternatively, what about a favourite song?
With email access, a hacker can click the ‘I’ve forgotten’ password recovery button to reset and gain access so it’s also a good idea to change your security questions. Your mother’s maiden name is asked for frequently as a means of identity – try choosing a different question from the dropdown list.
Technical intervention.
The advantages of two-factor authentication are that more than one form of ID is required to gain account access, which can also be cost-effective for larger corporations. A code might be sent via text, a call or generated on a linked app. 82% of UK respondents now use 2FA for workplace accounts. ^^
Whilst lock-out procedures aren’t new in the prevention of password cracking, higher-risk accounts or systems can be manually set to be locked for a longer period. Privileged functionality accounts can even be set to be unlocked manually by IT. Whilst this might not be as convenient for those inputting the wrong password, it could automatically prevent reputational damage, a data breach and an enormous fine from the ICO.
Erase all password data.
Fortunately, the importance of sustainability and the circular economy is now recognised and more and more businesses choosing the reduce, reuse and recycle approach to their organisation’s technology. Whether you’re purchasing recommerce devices, upgrading and redeploying, donating or looking to sell redundant IT assets, the latest data deletion techniques must be employed.
Password credentials aren’t necessarily deleted by a factory reset and can remain hidden within program software or the OS. This remains one of the biggest ITAD mistakes; much information can still be discovered on your end-of-life IT assets. Secure IT asset disposal services will not only ensure complete data erasure but will also provide an ITAD chain of custody. Data erasure services will supply an IT asset disposal accreditation certificate for every sanitised device to maintain your compliance with both data protection and e-waste legislation. You should also ensure that this extends beyond company laptops and desktops. External hard drives, smartphones and mobile device recycling should also be actioned through your ITAD supplier to guarantee they’re unreadable.
With the introduction of biometric scanning, you wouldn’t be alone in thinking that traditional passwords will soon become a thing of the past. However, this is unlikely as our biometric data cannot be updated and the cost of employee data implementation and secure storage is largely prohibitive.
Implementation of password security best practice is not as simple as asking teams to do so. However, by employing easy-to-use password manager tools and automated multi-factor authentication systems, requiring minimal effort, you can break down the barriers, which prevent collective adoption. To ensure that pre-saved login details of any kind do not remain hidden away on any data-bearing device, it is always a good idea to permanently erase all redundant IT equipment through your trusted ITAD partner before the asset is resold, redeployed or recycled.
Password security best practice requirements simply aren’t user-friendly, which causes the current misalignment between knowledge and action – and substantial data governance challenges for CISOs to overcome. The fact that employees are aware is, however, a crucial first step from which progress can be made.
* GenmarIT, ^ TechTarget, + DataProt, **NordPass, ^^ Bitwarden,
tier1 Group are proud to provide a fully circular approach to environmentally friendly ITAD.
Helping you meet some of the biggest challenges in data governance, we guarantee the complete and secure data erasure of sensitive password credentials, which may be unknowingly stored on a device. Not only will this ensure your legal compliance but will also deliver peace of mind when you redeploy, sell or recycle components for remanufacturing.
To find out more about our secure data wiping services and how we can help you protect company data – contact us on 0161 777 1000 (Manchester), 01621 484380 (Maldon) or visit www.tier1.com
Resources.
PassCamp, GenmarIT, Business Leader, Cypress Data Defence, Easy Tech Junkie, Digital Guardian, Cyber News, NordPass, Pass Warden, Make Use of, Verizon, Tech Target, PC Magazine, Lass Pass, Bitwarden, Data Prot, Keeper, Veracode, Avast, PC Magazine,
