The best way to learn good password hygiene is to think like a hacker.
Generally, a hacker can guess your passwords as fast as his computer will process them—as computers get faster, so does the time it takes to crack your systems! When a hacker attempts to break into your network, he or she will likely run through a very systematic process aimed at cracking simple passwords (though phishing employees has become all too common a tool as well!). The scary thing that most businesses don’t realize is that more often than not, their weak passwords are the easiest way into their network (alongside making sure their systems are updated and patched regularly, of course!). While there are many password related issues that can cause serious security problems for your business (especially if you handle sensitive data), such as shared administrator passwords and repeatedly using the same password for multiple logins, today I want to focus on weak and insecure passwords that, if left in place, are a sure way modern hackers will eventually get into your systems—without you even knowing anything’s wrong!
Problem 1: Commonly Used Passwords
Just as folks tend to gravitate towards similar baby names (at least within a generation), so too, many people—including business people!—gravitate towards similar passwords. It doesn’t make sense for hackers to run through every possible 8 letter password from aaaaaaaa to zzzzzzzz. They tend to look at the most commonly used passwords first. Here are the most-widely used 10 passwords as of late (I’m sure some of you at one point or another used on of these for something—perhaps your wireless password. If you pick something expected, remember that hackers are evaluating that password when trying to crack your codes):
password |
123456 |
12345678 |
1234 |
qwerty |
12345 |
dragon |
pussy |
baseball |
football |
Problem 2: Root Plus Appendage
Hackers then attempt to riffle through a commonly used pattern that uses a root plus an appendage. The ‘root; doesn’t necessarily need to be a real word, but is most often something pronounceable. An appendage is either a suffix (which occurs more than 90% of the time) or a prefix. Hackers use programs with vast databases or roots and appendages. Common appendages consist of number patterns (12345), punctuation (exclamation mark) or a combination of the two.
Problem 3: Pronounceable Words
Hackers tend to use a non-standard dictionary—one that inserts characters that may sound or appear like letters. For instance, substituting ‘@’ for ‘a’ or ‘1’ for ‘l’. While many folks creating a passw0rd! may think their substitutions of a pronounceable word or phrase greatly increases their password security, the often never imagine hackers to ever quickly evaluate these combinations. Common substitutions as the couple mentioned above are actually easily evaluated nowadays.
Problem 4: Personal Information Opens Doors
Don’t get me wrong, passwords are increasingly hard to remember. And many of us may be tempted to embed personal information—your mom’s or best friend’s name, your birthdate, your kid’s birthdate or your childhood address. But with data more accessible than ever—including online historical information and social media—including any glimpse of personal data in your passwords can make a hacker’s job a piece of cake! Avoid using personal data of any kind—even if it’s from 30 years ago!
Problem 5: Memorable Passwords Get Cracked
Any word or phrase that makes it easy to remember your password will also make for easy pickings for the modern hacker. Instead of using very familiar words and phrases for the sake of remembering a password, consider opting for a password vault to memorize your passwords for you. Remember NOT to use the same password more than once—especially for credentials locking sensitive information.
If you need to use a memorable password, try to create a personally memorable sentence—see our previous discussion on password generation for help. But if you can, the less memorable the password the better. A long string of letters, numerics and symbols makes for a much more secure password.
As I alluded to in the beginning, there’s much more to keeping your network safe than just generating a good password:
- Never reuse passwords that are important—bank accounts, work passwords, email passwords, anything that stores information you want to keep from prying eyes, make sure these passwords are unique.
- Beware of your secret security questions—if a website asks you a couple very common questions, like your mother’s maiden name or your childhood street address, consider making up entirely different answers to those questions. Most security questions can be identified through phishing or other social engineering tricks. As hackers get more motivated to crack security questions, your mom’s maiden name may grant them a password reset and possibly a foot in the door to your account!
- Seriously consider using 2-factor authentication—if a website or login gives you an option to use 2-factor authentication, verifying a login via text or email, consider always using it. 2-factor verification makes logins significantly harder to crack and may even dissuade some hackers from even attempting to crack your account.
Are you sure your network isn’t riddled with weak and easy-to-crack passwords? Are your admin passwords secure? Are they shared? Contact us TODAY for a free network assessment to determine whether your systems are secure enough to prevent a big data hack!