Given the growing sophistication of modern threats, we here at Fortinet often spend time discussing cutting edge technology and strategies to secure today’s complex, evolving, and highly distributed networks. However, everyday cybersecurity efforts often come down to something much simpler: passwords.
Insecure or inadequate passwords are an easy target for cyber criminals. Accessing a network using a stolen password is much easier than trying to break in through edge security protocols. Attackers can uncover or bypass weak passwords using brute force attacks, inject compromised credentials to gain access to user accounts using credential stuffing attacks, or leverage a host of other strategies to hijack user accounts to steal personal or corporate data.
Today, May 2nd, is World Password Day. The goal is to promote better cybersecurity hygiene by upgrading easy-to-guess passwords or refreshing older passwords that may have been compromised through some data breach. Think of it as the cyber equivalent of testing and replacing the batteries in your home smoke detector. Being diligent about creating strong passwords and updating them regularly is the first line of defense in securing both your personal and corporate information. Maintaining strong passwords and having a password strategy you can easily manage—but that others cannot easily guess—is an essential cybersecurity effort that every employee and individual plays a crucial part in.
According to the Verizon Data Breach Investigations Report, 81% of breaches leveraged either stolen and/or weak passwords. That problem is compounded because one of the biggest risks to data security is the reuse of passwords across accounts. If one of your accounts is compromised and your user name and password are posted on the dark web, cybercriminals who know how often passwords are reused will simply begin to plug that information into other possible accounts until they unlock one that uses the exact same credentials.
This is a common risk, as 83% of people have admitted to reusing passwords across multiple sites. Even if you think it is safe to reuse passwords on accounts that don’t house sensitive data – a breach there can be used as an entryway to move laterally across networks in search of critical business data or personally identifiable information (PII).
Physical security of passwords is also important to keep in mind. The average US email address is associated with 130 accounts. With so many passwords to remember, many have admitted to writing passwords down on pieces of paper or keeping a list of passwords in unsecured documents on their computers. These items can easily fall into the wrong hands – whether they are simply lost or are compromised in a malware attack.
Short, simple passwords take fewer resources for hackers to compromise. In fact, hackers maintain databases of the most common words, phrases, and number combinations that they can run your password through to find a quick match.
Some of the most common passwords are baseball and football team names, any variant of 123456789, and QWERTY. Avoid using common password themes when creating a passphrase, such as the following:
Cyber adversaries are constantly tweaking their tradecraft to ensure successful intrusions in order to generate consistent revenue and profit. If your password is guessed or stolen or guessed, you may never know it happened until anomalous purchases appear in your bank account. And even more challenging, you may not be impacted directly at all. Data accessed by leveraging your compromised account may simply be used to move up the food chain, enabling an attacker to gain access to data and resources managed by someone else.
Implementing a strong passphrase is one of the easiest ways to protect yourself, your devices, and personal and corporate data from these cyber threats. The basic rule of thumb is, the longer and more complex the password, the more difficult it is to crack. However, unless done carefully, it can also be easier to forget.
Passwords are like toothbrushes—you want to choose a good one, never share it, and replace it quarterly. The best password is a strong passphrase, impossible to forget and difficult to guess, even for someone who knows personal details of your life like the name of the street you lived on as a child. The worst kind of password is one that everyone uses, is easily guessed, or uses common phrases and words.
When creating new accounts or updating well-used passwords, keep these six best practices in mind to minimize password-based cyber risk.
When it comes to password security, everyone has a role to play in the protection of PII and corporate data. On World Password Day, IT teams and stakeholders should review the common risks of weak passwords with their organizations, as well as remind everyone of these best practices. This simple practice can help employees better protect their data, while minimizing unintentional insider threats to the organization.
Find out more information about our FortiVets program.