Every year, we post a piece about best practices in password management to help you improve your cybersecurity. Why? Three core reasons:
- Stealing passwords from individual users is one of the best avenues for cybercrooks to compromise business systems. Per one study, an average of 95 passwords were stolen every second during 2016. Given the rising incidence of data breaches last year, the pace of password theft surely hasn’t slowed as we move into 2018.
- Many technology users remain lazy password practitioners. Case in point: Per the annual “ Worst Passwords” report by SplashData, “123456” was the top most-used password for the fourth consecutive year. “Password” came in second. About one in 10 people surveyed by SplashData admitted using at least one of the bad passwords on the list of 100 weak ones.
- Per an international study by software maker LastPass and the analyst firm Ovum, more than 60% of IT executives rely exclusively on employee education to enforce strong passwords. Yet, the same survey found more than three quarters of the workers polled reported they regularly have problems with passwords usage or management. There’s an obvious disconnect afoot.
So, our quest to evangelize password practices persists. Here are five powerful password usage and management tips that we gleaned from reviewing articles on the topic, including our own posts:
Offer your users a little help.
- Choose and communicate a clear definition of what constitutes a “strong password.”
Current IT industry consensus holds “strong” passwords should be at least 10 to 15 characters and include a mix of lower case and capital letters, numbers and special characters – e.g., @, $, or *-- and be unrelated to any prior passwords.
- Advocate unique passwords for every account, website and/or app – business or personal.
Cybercrooks who breach LinkedIn accounts aren’t stealing resumés. They’re researching how users think. Using the same password – or even similar ones – for other social platforms and business applications could create pathways for hackers to wreak havoc in personal and professional spheres.
- Advise users to avoid patterns across accounts.
Using variations of standard passwords for different sites is called “salting.” An example would be a company leader who uses “CEOfb” for Facebook and “CEOtwtr” for Twitter. Once a hacker discovers the logic applied to creating these variations, cracking the code of dozens of passwords doesn’t take long.
- Tell your team to leave their personal interests out of passwords.
Through social platforms such as Facebook, Twitter and LinkedIn, hackers can study someone’s private life and crack logical patterns like “salting.” So, never use the names of family members, including pets. Plus, remove references to easily researched histories, hobbies and the like. For example, are any members of your staff avid followers of Game of Thrones? Well then, suggest using “QuEEn*of*Dr@g0ns” may be a dangerous password for them. And if their Facebook pages refer to where they attended high school, they shouldn’t pick “What was your high school mascot?” as a security question.
Ask your IT Managed Services Provider (MSP) for reviews and ratings of the best password generators and password managers available on the market. Your MSP has insight and experience helping multiple clients with cybersecurity and understands your unique needs, too.