Despite increasingly sophisticated cybersecurity technologies and methodologies, 86 per cent of breaches still involve stolen credentials. While poor password management remains a risk for all organisations; fortunately, businesses can mitigate this risk by requiring their employees to have strong, hard-to-crack passwords on all corporate devices.
Passwords are highly susceptible to hackers because they are inherently vulnerable. People often choose weak, easily guessable passwords or reuse them across multiple accounts, making it simpler for hackers to gain unauthorised access using various techniques such as brute force attacks, phishing, or social engineering.
Hackers can also guess or reset passwords using the vast amounts of personally identifiable information (PII) available online. Once compromised, these stolen credentials are the most accessible pathway for hackers to infiltrate systems. And, if users re-use the same passwords across multiple accounts, malicious actors may be able to cause even more damage.
Passwords are the most common form of authentication; once a hacker has a valid username and password combination, they can bypass security measures, masquerade as legitimate users, and move laterally across systems, gaining unrestricted access to sensitive systems and data. The simplicity of exploiting human negligence or oversight in password security makes stolen credentials a highly effective tool for hackers, posing severe risks to personal and organisational security.
Passwords may tend to be vulnerable; however, it is possible to strengthen them to a point where they can contribute to a robust security posture. At an organisational level, strong password policies give employees a clear set of instructions to follow such as password length, complexity, and expiration guidelines. It’s essential for users to follow these instructions consistently and understand their importance in maintaining personal and company-wide cybersecurity.
Complex passwords are the first step in safeguarding accounts against brute force attacks, where threat actors use sheer computing power to systematically check all possible combinations of passwords to find the correct one. Simple passwords can be vulnerable to brute force attacks, especially if there is no limit on the number of attempts. Longer and more complex passwords and security measures like account lockout after several failed attempts can make brute force attacks impractical and considerably reduce their chances of success.
Complex passwords use a mix of uppercase and lowercase letters, numbers, and symbols. This significantly increases possible combinations, making it much harder for attackers to guess passwords. To create a complex password, employees should use at least 12 characters of various types, avoid common words and sequences, and never use easily accessible personal information such as a child’s or pet’s name.
Another option is using passphrases, which are like passwords yet longer and easier to remember. They are typically composed of multiple words strung together, often including spaces or special characters. A good passphrase should be long, memorable, and unique. They are usually more secure than passwords because their length and complexity make them difficult to crack yet easier for users to recall.
Employees should change their passwords every 60 to 90 days. These should be unique rather than slight variations of previous passwords, and old passwords should never be reused. It’s also essential to create unique passwords for each service and platform. Using the same password across multiple accounts puts all accounts at risk.
Threat actors operate under the assumption that many users reuse their login credentials on multiple sites. Credential stuffing is an automated process that tries compromised credentials on various websites and services to gain unauthorised access.
Organisations should implement multifactor authentication (MFA) to prevent credential stuffing attacks. MFA adds an extra layer of security by requiring at least two forms of verification before granting access to an account so, if a password is compromised, unauthorised users cannot gain access without the second factor.
Secure technology is available to support good password habits. Complex passwords are impossible to remember, especially when they need to be changed every 60 days. The solution is a password manager, which generates unique passwords for every account and securely encrypts them, minimises the risk of using weak or repeated passwords, and ensures that employees only need to remember one strong master password.
Strong password practices are a crucial first line of defence against threat actors and the foundation of cybersecurity-aware cultures. To strengthen good password hygiene even further, organisations should use services that monitor and alert if employee credentials have been exposed in a data breach. This allows users to change their passwords before attackers use the stolen information.
1. https://services.google.com/fh/files/blogs/gcat_threathorizons_full_jul2023.pdf
Jason Whyte is general manager for Asia Pacific for Trustwave.