Many organizations and individuals don’t consider their passwords to be at-risk until it’s too late. However, they soon find their accounts have been compromised or critical information stolen. These staggering stats illustrate the lax attitudes some organizations have when it comes to data risk protection, including the fact that 61 percent of organizations have more than 500 users with passwords that don’t expire.
According to a 2019 survey from the UK’s National Cyber Security Centre, the most common password found within stolen password databases was the highly vulnerable “123456,” leading with a whopping 23.2 million uses. The cringe-worthy password list continues with all the usual suspects — qwerty, password and 1111111. Many commonly used names were also listed, including ashley, michael, blink182, superman and liverpool.
The following are some password best practices and policies for your organization and employees to help keep accounts secure and avoid data breaches:
1. Keep it complicated: It’s no coincidence that many websites now require stronger passwords made up of 8+ characters and multiple character types — letters, numbers, symbols, upper- and lowercase. A passphrase is a great option to give you a longer, more complicated password that is also easy to remember.
2. Don’t use personal information: Although it’s easy for you to remember, it may be just as easily discovered by hackers. Refrain from using any publicly available data such as birthdate, city of residence, phone number or spouse name.
3. Change it often: Set a reminder in your calendar at the beginning of each quarter to completely update all passwords — not just recycling a previous one or changing a few letters or numbers. Organizations should set expiration dates for employee passwords so that they are required to renew throughout the year.
4. Isolate each password: Choose different passwords for each platform or system that you log into. If one becomes compromised, it is less likely to affect your other accounts. It’s especially important to keep personal and company passwords separate.
5. Use a password manager: When following best practices for password creation, it can be difficult to keep track of each one. A password manager enables users to keep them secure in a single, go-to location with a master password.
6. Use Multi-Factor Authentication (MFA): This method of account protection prompts a user to provide at least one additional source of verification during the login process. A common example is sending a one-time code to a user’s personal device. MFA will likely be the norm for all businesses in the future, so it should be a goal to roll it out sooner rather than later.
Just remember the “123456” points above and your organization’s employees will be empowered to keep both personal and company information secure. Additionally, scheduling regular cybersecurity awareness training for employees is highly recommended. If you are looking for more in-depth expertise and a comprehensive cyber strategy for your business, whether it’s a full security assessment, general security policies and procedures or basic security consulting, our Virtual Chief Information Officer (vCIO) can handle the job. Valeo Networks provides a turnkey, end-to-end security assessment that leverages our Rapid Fire, Network Detective, CyberHawk and Perch SIEM, and 24/7/365 SOC products alongside user training and other awareness services.