Have you ever worked at a company where they have a secret internal password that only a handful of people knew?
You custom created it.
- It is longer than 8 characters. It’s got one upper case character, plus one or more numbers.
- Yes, one or more special characters too
- It was easy to remember yet difficult to break in.
- It is mostly used for internal servers and applications which are not production devices.
But slowly and steadily this password crept into other areas.
And one day, you had to share it with an intern, who was helping out with a critical task.
Before you knew it, everyone in the company - your interns and a few trusted contractors knew this password.
So you created a more secure version of it, adding a few more characters to the same password.
And this one time when you were signing up at a website for a personal account you had to come up with a new password.
Guess what came to the top of your mind?
Your company’ secret password. Now it is all over the place.
Your password manager is blaring at you saying that you have 35 accounts with the same password
And what if it is compromised?
Because someone used it for their personal account and it got compromised.
Finally, one day as an IT manager, you made the resolution to clean it all up.
But it is not as easy as it seems. As there are more variables added to mix.
- Your company grew over the years and it now stands at 500 people.
- You still have the same internal secret password or a different version of it.
This problem raises a few questions. You can attack it in advance only if you know the process involved.
This article explores how you can avoid password problems and data breaches at your company.
You can also teach your interns and other colleagues how to create better passwords, for their security and yours.
Perhaps put together an SOP, or a guideline for the whole company.
- The Cost of Weak Passwords For Your Business
- The 6 common techniques for hacking passwords
- The Passwords You Should Never Use In 2022
- What Makes For A Secure Password?
- 5 Ways To Create Strong Passwords
- The Top Tools For Storing Passwords
#1. The Cost of Weak Passwords For Your Business
These statistics help to explain why passwords are a major source of vulnerability for businesses:
According to the 2020 Verizon Data Breach Investigations Report, stolen or weak passwords were used in 81 percent of all data breaches investigated.
2020 Verizon Data Breach Report
- Every week, 1 million passwords are stolen, according to the 2019 Breach Alarm.
- According to the 2017 Ponemon Institute Cost of Data Breach Study, the average cost of a data breach is $1.3 million.
- According to the 2020 Verizon Data Breach Investigations Report, password dumpers are one of the most common types of malware.
#2. 6 Common Techniques For Hacking Passwords
We discuss the most frequently used password hacking techniques by hackers.
- Social Engineering
- Dictionary Attack
- Brute Force
- Rainbow Attack
- Credential Stuffing Attack
Each technique is explained below.
Keyloggers are software programmes that allow hackers to gain access to personal data by recording all of the keystrokes made on the computer's keyboard.
All of your keystrokes are recorded, including your passwords and credit card numbers, as well as the web pages you visit.
Various styles of deception and manipulation are employed in this approach.
All deceive or manipulate people into divulging their information or taking a specific action.
Phishing and trojan horse attack are two of the most common social engineering techniques used to steal passwords.
An uncommon method of hacking is called shoulder surfing, in which the hacker simply stands by and watches as a user types in his or her password.
Using a "dictionary of passwords," hackers attempt to guess a password by typing in a common list of words from the dictionary.
Those who use more advanced password dictionaries will find lists of the words that are most frequently used in passwords.
Even though this is a relatively straightforward method, it is highly effective for guessing less-complex passwords.
All of your credentials are at risk if you use real words as part of one or more of your passwords.
Brute Force Attack
Even though it is not as efficient as a dictionary attack, a brute force attack is more effective in the long run when it comes to guessing passwords.
Hackers use tools to repeatedly try every possible password combination of letters, numbers, and symbols until they have cracked the password using this method.
A reverse brute force attack is one in which a hacker attempts a single password against a large number of different usernames.
This method is much more efficient and effective than brute force or dictionary attacks.
It makes use of a resource known as a rainbow table to crack password hashes.
The table is basically scrambled up passwords stored in system databases.
Credential Stuffing Attack
A method was developed by hackers to automatically test a target website login against a database of compromised username/password combinations.
This is made possible because so many people use the same passwords or variations of passwords across accounts.
It is estimated by Shape Security that 90 percent of login attempts at online retailers are the result of this type of attack, and that this method is effective for hackers approximately 3 percent of the time.
#3. The Passwords You Should Never Use In 2022
According to Schneider Downs there are passwords you should never use.
You would do well to know these as lazy passwords can hurt you big.
- 123456 – Less than one second to crack, 3.5M+ uses counted
- Password – Less than one second to crack, 1.7M+ uses counted
- 12345 – Less than one second to crack, 958K+ uses counted
- 123456789 – Less than one second to crack, 873K+ uses counted
- password1 – Less than one second to crack, 666K+ uses counted
- abc123 – Less than one second to crack, 610K+ uses counted
- 12345678 – Less than one second to crack, 440K+ uses counted
- qwerty – Less than one second to crack, 382K+ uses counted
- 11111 – Less than one second to crack, 369K+ uses counted
- 1234567 – Less than one second to crack, 356K+ uses counted
- 123456 – Less than one second to crack, 103M+ uses counted
- 123456789 – Less than one second to crack, 46M+ uses counted
- 12345 – Less than one second to crack, 32M+ uses counted
- qwerty – Less than one second to crack, 22M+ uses counted
- password – Less than one second to crack, 20M+ uses counted
- 12345678 – Less than one second to crack, 14M+ uses counted
- 111111 – Less than one second to crack, 13M+ uses counted
- 123123 – Less than one second to crack, 10M+ uses counted
- 1234567890 – Less than one second to crack, 9.6M+ uses counted
- 1234567 – Less than one second to crack, 9.3M uses counted
4 dont’s for passwords
- If you must use a password, never use the word "password."
- Use a different password for each website you visit.
- When creating a password, avoid using words that are already in the dictionary. Some of the letters in the word can be replaced with numbers or symbols.
- Make use of a password manager and change your passwords at least once every three months.
What should you do to prevent weak passwords? Or rather how do you create strong passwords?
That’s what the next section tells you.
#4. What Makes For A Secure Password?
An extremely strong password is one that you will not be able to guess or crack using methods that hackers commonly use.
Hackers use computers to experiment with different combinations of letters, numbers, and symbols in the hope of finding the right one.
Modern computers are capable of cracking simple passwords consisting only of letters and numbers in a matter of seconds.
Strengthening a password is accomplished by using a combination of uppercase and lowercase letters as well as numerals and special symbols, such as punctuation marks.
- It should be at least 12 characters in length, though we recommend making it even longer if possible.
- Use of upper- and lowercase letters, numbers, and special symbols as appropriate. Passwords that contain a mixture of characters are more difficult to crack.
There are no keyboard shortcuts for passwords
Is not based on any of your personally identifiable information.
- Each account you have must have a password that is different from the others.
- There will frequently be prompts when you're creating an online account, reminding you to include numbers or a certain number of characters.
- It is possible that some companies will prevent you from creating a "weak password," which is typically a single word or number combination that is easy to guess.
- However, even if you aren't prompted to create a strong password, it is extremely important to do so whenever you are creating a new online account or changing the password for an existing account.
#5. 5 Ways To Create Strong Passwords
Many users' passwords are cracked as a result of their poor password structure.
We’ve compiled a list of the strongest passwords.
1. Combine words that are only partially related to one another
For example, you could combine words like "Carbon," "Blog," and "Security" to form the phrase “CarBloSecu!"
You could also combine partial sentences of two, three, or even four unrelated words together (using both uppercase and lowercase letters) and end it with a special character.
2. Combine a word and a number together
If you combine a word with a number and (use a mix of uppercase and lowercase letters), for example, if you combine your name and your IP number together, such as "Rajesh" and your IP number is "184.108.40.206," then your password should be “Rajesh!1159#622844!"with a special character in the beginning, the middle and at the end.
3. Alternatively, replace the word with a random number and symbol.
Replace the word with a random number and symbol (mix uppercase and lowercase).
For example, Microsoft suggested the strongest password "P@ssw0rd," which replaces the letter a with the @ symbol and the letter o with the number 0 (Zero).
This will require you to use some creative thinking to accomplish this.
4. Combine the words and numbers in a random manner.
In a random manner, combine the word and the number (mix uppercase and lowercase).
For example, the words "Rajesh" and a birthday "12.12.72" can be combined at random to form the phrase "R12@je12sh1972.
In addition to being impossible to crack, it is also extremely difficult to remember the answers to these questions.
5. Create a random mixture of meaningless words, numbers, and symbols with at least 15 lengths.
This leads to the strongest passwords. Combine meaningless words, numbers, and symbols in a random manner, with at least 15 character lengths (mix uppercase and lowercase).
In reality, the strongest password is the one that is the most difficult to remember, such as “R7r9t8@Q#h%Hy+E.”
Listed below are some additional examples of password variations that are designed to avoid the use of complete English word patterns:
- Piece of cake // P1e!12ofC@ke!
- raining cats and dogs // R@in!Cat12sDo72gs!
- Kill two birds with one stone // K1ll!!2Bir*sW1St0ne#
By substituting numbers and special characters for letters in these passwords, a dictionary programme will take an exponentially longer time to guess them.
#6. The Top Tools For Storing Passwords
Because they keep track of your online data, password managers are extremely beneficial.
Because of all of the recent news about hackers and the threats posed by these managers, you'll probably want to know what to look for in a professional.
Check out the most important features of password generators used to generate all of the passwords for you.
- Can the generator combine both numbers and letters, as well as other special characters, before submitting your code?
- Do you prefer password managers that allow you to customise the length of their passwords as well as the content of your passwords? This is useful if you use websites that have specific password requirements or if you want to change the passwords that have been assigned to you.
- Does the password manager provide protection from external threats?
The best managers use vaults to store your information, which keeps it safe from prying eyes and other people.
The option of storing your passwords in the cloud may be more appealing to you.
This provides you with the flexibility to access your information from a variety of devices at your disposal.
If your computer hard drive fails, you may find yourself in the position of having to retrieve your passwords from the cloud in order to use them with your new computer or another device.
In addition, you might want to consider password managers that include autofill functionality.
This feature is useful if you don't want to write down your passwords and type them in manually on each website you visit. It enables you to save your passwords and have the manager automatically enter them for you when you visit your favourite websites on your computer.
You should also take into consideration those that generate and change your passwords at random. Some managers will generate new passwords at random on a regular basis, while others will allow you to set a schedule for when those changes will take place.
Read: The Best Password Managers for 2022 | TechRadar
Password protection is a process that IT Managers would do well to understand and follow.
The cost of not having a process for this is way too expensive.
Once you understand the implications of poor passwords, the cost of data breaches, and the techniques used to breach passwords, you can create a number of process documents for your company. This helps everyone to know the import of strong passwords and how to create and maintain these.
Read how: Password SOP, Password Policy or Password Guidelines.
Keep Stress Out. Let Sleep In.
Consltek’s Managed IT Services provides migraine-free managed IT solutions to businesses with 100+ staff in the US.
Secure your hardware and software - think penetration testing, threat hunting, and prevention of cyber attacks.
Get a team of experienced specialists to manage time-sucking IT snafus in advance.
Tackle business continuity, infrastructure issues, help desk problems, cloud management and pressing IT incidents with ease and flair.
As a growth focussed company, you get to enjoy 24 x 7 x 365 IT management.
You, and your IT Team, stay away from managing pesky IT issues. You also get to focus on your business growth, sleep soundly, and look like a champion with Consltek Inc.
Did you find this blog useful?
Please subscribe to our monthly newsletter. Designed to boost your IT growth, keep your sanity alive, and your thoughts focussed.
Do you have thoughts that you’d like to share with us? Then do comment below.
Please share this blog with your friends who would benefit from it.