Passwords are the most common form of authentication for online accounts and services, but they represent the easiest entry point for cyber criminals who want to steal your data, money, or identity. 86% of breaches involve a stolen, weak or default password, according to Verizon’s 2023 Data Breach Investigations Report DBIR. In this blog post, our in-house Cyber Security Team will share some of the common pitfalls they see that make passwords vulnerable and share four tips for protecting your passwords.
Common pitfalls SMEs need to avoid
Same password, different system
Over 50% of users make the mistake of using the same password across multiple systems, according to Keeper Security. Whether this is across professional or personal logins by repurposing credentials, should a hacker get access to the information, they can reuse those credentials to gain access to all your other accounts.
Unencrypted password sharing
Insecure methods should never be used to send passwords. Whether it is via company methods, such as Teams or Slack, or personal text messages, 62% of employees admit to doing so and giving hackers an opportunity to harvest the credentials.
Man-in-the-middle attacks target individuals by intercepting communications, they listen for interesting or valuable information. If an attack is successful, then it may not be just future communications that are at risk but also any previously shared.
While the simplest answer is that passwords are never to be shared between users, in the real world there are many practical reasons why they might need to be. As a result, pragmatic best practice focuses on ensuring the security of the sharing:
- Ensure it is encrypted
- Ensure it will expire
- Ensure the password changes after use
Unprotected password storage
Many passwords get stored in a file on a user’s desktop. Whether its notepad, excel or word keeping track of credentials outside of a secure location is ill-advised.
Consider the outcome of a malicious attacker gaining access to a user’s account, they would be greeted with an invitation into all other systems via a conveniently located lookup file.
Although it can create an extra step when logging in to your systems, using a zero-trust encrypted vault for credentials is the best way to avoid a single compromised user allowing hackers through their account into their business-critical systems. Moreover, most password managers that provide a zero-trust solution also give the ability to set password expiration and enforce minimum password strength.
Not using multi-factor authentication (MFA)
MFA provides an insurance policy against compromised credentials. It works by requiring login attempts to provide two or more pieces of evidence to verify identity, typically a password plus a code sent to an email address or mobile number or generated by an app.
By requiring two or more forms of identification, MFA prevents hackers from being able to enter systems with only the user credentials.
When implemented appropriately, it can inconvenience users; however, adding the extra step in the login process is a worthwhile investment in keeping your data and applications secure.
4 tips for protecting your passwords
Having discussed the most common mistakes that our team see SMEs make with their password security, they are keen to share their top 4 reasons a password manager would improve your team’s password hygiene.
Automate password creation
An 11-character number only password would take a bot under 2 seconds to crack. However, if it is more complex, using lower- and upper-case letters, symbols, and numbers, solving an 11-character password would take over 400 years.
Removing the responsibility from your users by enforcing the use of a password generator would ensure that all credentials within your SME meet your minimum standards.
Avoid testing your users memory
Limit the number of passwords you need to remember. Instead of memorising, or insecurely storing dozens of passwords for different accounts and services, leverage a password manager’s secure vault storage.
A password manager encrypts and stores your passwords securely so that only you can access them. They can also autofill your passwords when you log in to your accounts, saving you time and hassle.
Share your passwords securely
As mentioned above there are unavoidable situations that demand a password to be passed between users. A password manager will give the option to securely distribute credentials between users, ensuring to grant the least privileges possible per user account.
Change your passwords regularly
Even if you have strong and unique passwords, you should still change them regularly to prevent hackers from cracking them or using them in case of a breach. Password managers can be set up to ensure credentials expire after a regular period, ensuring the applications remain better secured.
Our SOC team recommend expiring your passwords every 90 days as well as if you suspect any suspicious activity on your accounts.
Monitor the dark web for your credentials
As a little extra, our in-house SOC team want to warn readers who have got this far that as much as you follow the guidance above, you may still be at risk. By using tools such as SafeWeb you can be notified should any of your SME’s credentials are found on the dark web following a credential breach.
How we can helpÂ
At TMT we provide a password manager solution for our clients, powered by Keeper Security.
Get your passwords protected today
Get the TMT Password Manager Get a password manager powered by Keeper Security and secure your passwords.