How Poor Password Protection Puts Your Company at Risk for a Data Breach

The weakest links in any organization’s cyber security strategy are the people who use the network. Consider a few of these facts from Verizon Enterprise’s 2013 Data Breach Investigations Report (DBIR):

  • Percentage of intrusions exploiting weak or stolen login credentials: 76 percent
  • Percentage of attacks perpetrated by former employees whose credentials weren’t disabled: Over 50 percent
  • Percentage of IP thefts that took place within 30 days of an employee’s resignation: 70 percent
  • Percentage of attacks involving social tactics to obtain credentials including email, phone calls and social networks: 29 percent
Poor login password
photo credit: Juan J Martinez

In many cases, hackers don’t have to use sophisticated techniques to attack networks; they simply exploit weak passwords. Fortunately, training employees to create better passwords is easier than you may think. Many companies are also starting to incorporate protective steps like multi-factor authentication. An extra security step like two-factor authentication ensures that a user is who they claim to be, and two-factor authentication works best when it’s built upon smart, tough-to-crack passwords.

Building a Better Password

Time recently released its annual list of the 25 Worst Passwords. Surprisingly, “password” was finally dethroned from the top spot by the equally ingenious “123456.” Other top entries included “trustno1,” “letmein,” qwerty” and “iloveyou.” Instead of using these obvious passwords, people should use a hard-to-remember combination of letters, numbers and symbols, right?

The answer is “maybe.” In many cases, those random passwords are hard for humans to remember but easy for password cracker computer programs to guess. Instead, suggest these tricks for building a better password that’s both memorable and tough to crack:

  • Use a memorable phrase. Remember when you learned the notes of the treble clef music staff? You memorized the phrase “every good boy does fine” to learn the location of the notes E, G, B, D and F. In a similar way, create a memorable phrase and use the first letters of each word to generate your new password. For example, the phrase “Barack Obama cooks waffles for my grandmother in Tulsa” would become “BOcwfmgiT.” It’s a good, random mix of upper-case and lower-case letters that’s easy to remember.
  • Use the whole phrase. Instead of using a mix of the first letters of each word, just use the phrase. Consider this example from an article in Slate: The password J4fS<2 would take 219 years to crack. Alternatively, the phrase “this is fun” could take 2,537 years to crack if a hacker was using a password cracker that tested every possible combination of numbers and characters.
  • Use a password manager. Password managers like Keeper and LastPass store all of your passwords within a secure vault. You use a single password to enter the vault, and then the program automatically enters your login credentials in your password field. These programs can auto-generate passwords for you that are completely random, so you don’t have to worry about memorizing them.

Adding Multi-Factor Authentication

Authentication techniques involve one of three elements: something you know, like a password; something you have, like an ATM card; or something you are, like a biometric scan of your iris. Multi-factor authentication combines these techniques for tighter password security. For example, you can login to a network using a password—something you know. Then, the network can send a unique passcode to your cell phone—something you have—via text message, and you can input the passcode to access the network.

DBIR advocates multi-factor authentication one of the most effective ways to protect company networks. According to Verizon, multi-factor authentication could prevent up to 80 percent of successful attacks. By building strong passwords and using multi-factor authentication, companies could go a long way toward controlling their cyber security risks.

Developing Technologies

New technologies may eventually render passwords obsolete. An organization called FIDO (Fast IDentity Online), supported by heavyweights like Microsoft, Google and MasterCard, is working to develop a software client that can use public key encryption to authenticate users. Still, until a password replacement comes along that is both effective and easy-to-use, the best way to prevent a data breach is to create effective passwords as part of a multi-factor authentication strategy.