Things must be looking up in the online security education arena: according to a Redcentric survey, over 40% of Brits think their passwords are so secure that hackers could never guess what they are. But then again, some people think that the world is flat and that the Moon is made of cheese.
It’s not what you say, it’s what you do
More important than what a user’s opinion is of their own password strength, is how they created the password and where they use it.
In the survey, two worrying statistics emerged:
- One third of respondents admitted using personal information in their passwords – particulars such as name, address and date of birth.
- Two thirds admitted using the same password on multiple accounts.
Social engineering made easy
The trouble with using personal information to construct passwords, is that it gives hackers a leg up in the task of cracking them: if they can simply find out more about the person, then they can take educated guesses about their passwords.
And how do they find out more about a person? Same as the rest of us – a Google search, a lookup on Facebook, LinkedIn, Twitter, Pinterest…easy, peasy, password squeezy.
At the same time, they will note a person’s interests in case they are presented with other security questions when they attempt to gain access to the systems on their hit list. Social media sites are fountains – nay, geysers – of information for even the most inexpert of hackers. Try it yourself; it makes a good party trick.
What happens in Vegas, stays in Vegas
No, it doesn’t.
What people do in their own home is usually outside the sphere of interest for business owners, but passwords don’t just stay at home: if two thirds of people use the same password on more than one online account, even if it’s a superstrong one, there’s every chance that one of those accounts is at the person’s workplace, so there’s a direct link between their online activity and your network’s security.
The same password could also access the commercial accounts of companies that don’t have high security levels and so have a higher risk of being successfully hacked. When the latter happens, the first thing a hacker will do – after jumping for joy – is try those same passwords on the rest of the online community. This is precisely what happened when hackers who had stolen LinkedIn details used them to gain access to Dropbox accounts.
In a nutshell, the downstream effect of a hacker being able to crack one of your employee’s passwords is a potential breach of your own network.
Strength of character and the power of one
Business bosses can fight the threat of weak or indiscriminately used passwords by educating their employees about what constitutes a strong password and why they should be unique to each online account.
Strong passwords are long (at least 15 characters) and should contain a mixture of upper and lower case letters, as well as numbers and special characters. It’s understandable that they will be hard to remember, so password management software is the best option for storing them.
Entrench the company mantra: One Account, One Password. Make it a signed-up-for policy that passwords must be unique, both internally and externally.
Make it happen
Security advisors have been banging on for years about not using personal info in passwords, and only using one password for one account, but the message doesn’t seem to have filtered through to everyone.
It seems right, then, that an employee’s password proclivities should be a worry to businessmen, but to borrow from the proverb, worry is like a rocking chair: it will give you something to do, but won’t get you anywhere. A few simple workplace directives could put worry back in its box.