Ask your IT chief about the weakest link in your organization’s cybersecurity, and you will receive a quick answer: employees. In cyberspace, passwords guard access to systems, email accounts and websites. Like the speakeasies of old, you need to know the password to get in.
But with the ubiquity of password authentication, people suffer password fatigue. People need at least dozens of passwords in both professional and personal lives. The experts say passwords must be long, complex and different. Yet faced with the challenge of remembering them all, many of us succumb to cutting corners.
Employees like to use easy-to-remember passwords. (They might even write them down on post-it notes and stick them on their monitor.) Unfortunately, they often use the same password for multiple sites and systems. But an easy password takes hackers less than a second to crack, and if the user employs the same password repeatedly, they compromise each site or system.
Here is a statistic to get your attention: 80 percent of cyberattacks target authentication credentials, according to Brad LaPorte at High Tide Advisors. It is the easiest way in.
And according to an annual survey by digital security provider NordPass, people still use “12345678” or “Password1” as their password! Maybe your staff avoids those. Instead, they use their name and birth date or your company’s name with the month and year they joined. Some even cleverly substitute a “3” for an “E” or a “1” for an “l.” They are like a middle schooler guarding the basket against an NBA player.
Bad actors are not pimply-faced teenagers manually keying one password after another. Cybercriminals are pimply-faced 20-something pros who automate their attacks. Programs can run thousands of passwords against you in minutes, attempting to break in. Yet people too often don’t even make it challenging. According to InfoSecurity Magazine, 59 percent of people use their name or birth date in their passwords.
One form of attack is called brute force, a numbers game in which a programmed bot “guesses” password after password. It begins with those easy passwords, which can take under a second to guess and breach. A dictionary attack tests actual words, which are finite in number relative to the enormous number of possible assorted random characters you might have used. Note that a programmed dictionary attack will also look for a “3” substituted for an “E.”
In another approach, hackers use lists of passwords purchased on the dark web (sourced from all those corporate security breaches) and run them against a target until they score a hit. Such lists point up the risk for those that use the same password for several different sites and systems. Someone’s already got your password.
Hackers are opportunists and will exploit any targets they can easily breach. But if a company’s systems are sufficiently hardened, the bad guys will move on, except for state actors on a mission. Generally, everyone prefers low-hanging fruit. And all that notwithstanding, remember there are internal fraud perpetrators able to read sticky notes on monitors too.
Password Protection for Systems (including Vendor Files)
The National Institute of Standards and Technology (NIST) periodically publishes guidelines for better password security. In addition, several security specialists offer password guidance in addition to their security audits and protection system. Here are nine ways to strengthen your user authentication.
- Complex passwords: Simple passwords are quickly compromised. Users should never use their names, for example, or their birthdate (social media sites announce peoples’ birthdays every day). Passwords are complex when they mix upper and lower case letters, numbers and special characters. However, as noted above, you want to avoid substituting numerals or characters for letters.
- Minimum password length: A password should be long. While the standard has been eight characters, a better minimum is 14 characters. Longer passwords are stronger than shorter ones. Each additional character in a password adds exponentially to the challenge of guessing it.
- The alphabet advantage: Because there are 26 letters in our alphabet but only ten numerical digits, “tomato” is more challenging to crack than “470982.” (Nevertheless, “tomato” is a word in the dictionary, so it is not a good password.)
- Passphrases: Security experts recommend using passphrases rather than passwords. Phrases are longer but can be easier to remember while harder to crack. However, “Maytheforcebewithyou” is not a secure passphrase! Avoid popular catchphrases. Instead, select three or four unrelated but meaningful-to-you words. You can remember them, but they are very challenging to guess.
- Password generators: You can use a password generator to provide solid, random passwords for you, though you’ll also want a good password manager to keep track of them, as they are impossible to remember.
- Resets: While mandatory periodic password resets had been a recommended practice, NIST says longer passwords or passphrases do not require frequent resets. Still, experts recommend resets, though the intervals between can be longer. When resetting passwords, don’t merely “increment” the old password by changing a numeral at the end. And do not alternate back to a prior password. The reset must be a new password or phrase to be secure.
- Do not share: A password is like a toothbrush, not meant to be shared. The experts say share your password with no one. Not your BFF, not your boss, and not your mother!
- Different passwords for each authentication: This is hard, but when you use a password in more than one place, you seriously increase your risk. Breaches will continue to happen. Once a criminal gets a password, they can and will try it to access other accounts and systems.
- Use 2FA or MFA: Wherever possible, use two-factor or multi-factor authentication. That typically involves sending a confirmation code to a smartphone or requiring bio-authentication (such as providing your fingerprint). With MFA, a password compromise is not enough for the hacker to get into the account or system. So MFA is a powerful security tool to protect your organization and yourself.
There are additional steps your IT department can and should take. These recommendations are steps everyone can take to protect their organization, data—including their vendor data—and their accounts from criminals. We log in multiple times and places a day but must not lose sight of the criticality of security. A breach can significantly damage an organization, its employees, vendors and customers with legal, financial and reputational costs.
To find out how VendorInfo can help you protect your vendor information, let’s talk.