While cyber security threats are growing all the time, it remains the case that many breaches can ultimately be traced back to human error. Whether it's mistakes in configuring servers or being tricked by phishing emails, the human element is the weak link in many businesses.
But one of the most common problems is the continued use of weak and easily-guessed passwords by employees, and it seems this is an area where little progress is being made. Every year, security researchers release lists of the most common passwords, and every year, security professionals will get that sinking feeling as the same credentials pop up again and again.
While 'password' and variations are common, recent figures from the UK's National Cyber Security Centre (NCSC) shows there are a few even weaker combinations that crop up time and again. According to the security body, 'password' is actually the fourth most commonly-chosen password, behind 123456, 123456789 and qwerty. And the consequences of this for businesses can be severe.
The perils of weak passwords
Weak passwords are one of the biggest security holes any organization can face. After all, if you're a hacker, why waste time working on complex new attacks when you can simply try out the most common password combinations along with known or easily-guessed usernames? For example, if your business uses a set format for usernames, such as firstinitial:lastname, it probably won't take long for a criminal with an automated bot to find someone with a weak password, particularly in larger companies.
In fact, figures from Verizon suggest more than four out of five hacking-related breaches (81%) used either stolen or weak passwords to gain entry. Given hacking is a feature in almost two-thirds of data breaches (62%) and the average breach in the US costs $8.19 million, this could mean poor passwords are costing organizations hundreds of millions of dollars a year in total.
It's not just weak passwords. Another problem is caused by people reusing passwords across multiple services, especially when this covers both their personal and working lives. You might have the toughest security measures on the market, but you can't account for other services.
If an employee is reusing a work password on a personal site such as a forum that has poor security, and that site gets breached, it's easy for hackers to try these stolen credentials across any other services. Given how many business functions will require logins - including CRM systems, emails, web servers and external sites such as marketing tools - the potential for data breaches from any one of these is huge, and if hackers can access all of them with just one password, they can do tremendous damage.
Workers failing to heed advice
Research from NCSC highlights that no matter how often people are warned about following good password practice, many employees simply won't listen, as they prefer the convenience of easily-remembered and quick-to-enter passwords over security.
Did you notice anything in common about the top three passwords above? They can all be entered on a standard keyboard simply by running your finger from left to right. But while this might save a few seconds every time they log in, the cost of this laziness can be huge.
But while IT departments will no doubt be aware of the potential cost of this, how can they actually go about changing habits in an effective way?
Some password management policies may actually be doing more harm than good. For example, requiring your employees to change their passwords every 30 days or so may seem sensible on paper, but in reality, all you're going to do is frustrate employees and encourage them to fall into bad habits.
If workers are forced to change their login credentials regularly, are they really likely to take the time to come up with a brand-new password they'll forget in a week? Or will they just add a 1 to the end of their existing password and get on with their day?
Password managers - a better solution
To avoid these issues, the best solution is to adopt a password manager tool to take the task of thinking up and remembering a multitude of passwords out of employees' hands. There are a range of these available, and they offer several benefits, including:
- More secure passwords: Instead of forcing users to create passwords themselves, a good manager will be able to do these automatically, creating random passwords according to set criteria, including length, number of elements (upper and lower case characters, numbers, special characters, etc) and even pronounceability.
- Prevent reuse of passwords: Combined with the automatic generation feature, this can play an important role in ensuring no passwords are being reused across multiple services.
- Easier management: The options offered by password managers allow IT teams to exert better control over their environment, choosing when and how passwords are shared. This means you can give individuals access to group accounts without actually having to share the password, as the actual data can be hidden from end users.
- Greater convenience: Filling in fields automatically means users don't have to waste time typing out long passwords, or need to make multiple attempts if they're struggling to remember credentials or make typos.
Of course, there’s still an inherent weakness in password managers; namely, that these tools will still require users to enter a master password, and if this is compromised it can be especially serious. Therefore, it still pays to instill good password practices to employees for this password.
While long, complex passwords may sound like a good idea, you don't want people forgetting their master password, or feeling they have to write it down. Therefore, a different approach may be required.
When it comes to security, length is often better than complexity, so the NCSC recommends choosing three or four random but memorable words for a passphrase. This should be at least 15 characters in length - making it tough for brute force attacks to crack - but should be easy for anyone to recall.