Big hacks in recent months – like Sony’s - have attracted global attention, compelling even heads of state like President Obama and PM David Cameron to make public statements about their growing concern for online security.
But has this high profile concern filtered down to the man in the street? American talk show host Jimmy Kimmel put it to the test by querying the password habits of ordinary people. If nothing else, you have to admire the skills of the reporter. Intelligence agencies, take note…not a waterboard in sight.
Some people are idiots – so what?
The Kimmel segment is funny and you’re probably laughing as loud as the hackers, who know just how easy it is to dupe people. But for ‘people’, read ‘employees’ and suddenly it’s not so funny after all. In fact, weak passwords are no joke whatsoever: Trustwave, an American infosecurity company, found that they could crack 50% of business passwords within minutes, and 92% within a month.
Perhaps the people who shop on Hollywood Boulevard have less common sense than your employees, perhaps every one of your employees is so cyber-savvy that they could single-handedly outwit The Lizard Squad if given the chance…
But then again, perhaps not. No one’s accusing you of hiring idiots, but when it comes to choice of passwords, many people are in blissful ignorance of the potential consequences for their employers.
How to crack a password
Is it really as easy as Kimmel’s technique suggests? No, but hackers know of two human behaviours that work in their favour: people tend to use personal details to construct their passwords, and they tend to use the same passwords at both home and work.
Put these two habits together and you have a direct threat to business: if hackers can establish the likely answers to security questions, they can hijack an employee’s email account and crack their way into that person’s business network.
You might assume that hackers have very smart, supersneaky ways of finagling personal details out of ordinary individuals – what’s called social engineering - but the truth is, we make it all too easy for them.
They don’t have to stand on street corners interviewing people, and they don’t have to drag them down a dark alley and beat it out of them. Instead, they target a particular organisation’s employees and do their sleuthing with the help of Facebook, Twitter, LinkedIn, and other similarly rich sources of personal data.
How to protect your business
Employees should be made aware of the security risks posed by social engineering, and that the way to avoid accounts being breached requires two principal tactics: the use of strong passwords, and using unique passwords for every account.
An absolute no-no when constructing a strong password is to use anything that can be lifted from a person’s social media page or other online footprint: family or friends’ names, pets’ names, place names, important dates, personal interests.
Passwords shouldn’t contain words that appear in dictionaries – hackers use programs that run through a language’s entire vocabulary in seconds.
Length equals strength, so passwords should be at least 15 characters long, and include a degree of complexity: random numbers, special characters, and a mix of upper and lower cases. Strength meters are great tools for measuring how quickly a password can be cracked.
And when it comes to multi-step security questions, insist that employees don’t use accurate, traceable facts – this is the time when they should lie about their first school, spouse’s favourite food, or dream holiday destination. Remember, the system isn’t verifying that a security answer is actually true.
But strong, multiple, passwords are likely to be forgotten and business owners need to recognise that these rules make life hard for the average person. The answer is to use a password manager to do all the hard work, so that all an employee requires is one phrase to access their full list of passwords.
Keep calm and carry on
A final tip: next time you’re window-shopping on Hollywood Boulevard and someone thrusts a microphone in your face, keep walking. And change your password…just in case.