Online security is everything now-a-days, due to it being more important than ever, and the most basic forms of security can be passwords. These secret strings of letters, numbers and special characters keep unwanted eyes from seeing your sensitive data. It should be obvious that they are important and should be kept to yourself, but we would like to ask why are people sharing and creating easy-to-hack passwords all the time? Well, would it be surprising that most breaches occur from internal sources?
The biggest threat to a business is lack of internal security.
And you guessed it, passwords are at the forefront of risks. Symantec's 2016 Internet Security Threat Report, shows that small businesses (any business up to 250 employees) have become the main target for hackers and phishers. These phishing campaigns are only going to be more prevalent with 18% in 2011 focusing their efforts on small businesses, which has risen to a shocking 43% in 2015. (We will be awaiting the next review of 2017-2018 and let you know how much more dangerous it has gotten...) This alone shows how important it is to keep passwords to yourself, not share them (even internally) and why they should be strong.
A fellow IT consulting firm, IS Decisions, has done some research and found that across many industries, the most likely ones to share their passwords were legal and human resources. The people being surveyed had answered that “At least one colleague has my login details.” (32% in the legal field and 30% in the human resources field.) Want to hear something strange though? According to this IS Decisions research study, younger people are actually more likely to share their password.
“This highlights the strong need to control and educate your entire extended organization, not just the full and part time employees but your outsourced partners and entire supply chain.” -IS Decisions
About half of employees (52%) think that no risk can be associated with sharing work-related passwords. Most employers (63%) do not even have a strictly enforced security policy. Most shocking of all though is that a staggering 82% of employees believe that could access sensitive information about the company that they were not authorized to see. Scary right? Well let's keep this train rolling with more scary statistics then… Did you know that 36% of employees continued to have access to sensitive information after they had left their job? Thankfully only about 9% choose to do anything with that access, but that number could be 0% with a proper understanding of you network and how to keep it secure.
So, we get that everyone should not be sharing their passwords with anyone, but couldn't everyone just change their passwords a few times each year? Well researchers at the University of North Carolina have found that some forms of frequent password changes may actually decrease your network's security.
The UNC researchers said that “Frequent password changes do little to improve security and very possibly make security worse by encouraging the use of passwords that are more susceptible to cracking.” If people need to change passwords more frequently, say every 90 days, then they tend to fall into a sort of pattern. They will begin using slight variations of the same password, effectively not changing it at all. For example, if my password was originally “LetMeIn123!”, but I changed it to “LetMeIn456!”. This minor change makes it easy to crack this password.
This study found that 17% of accounts where the original password had already been compromised, the next password could be guessed in less than 5 attempts.
If you do need to change your password often, do not follow some conventional pattern that will compromise you and your businesses' security. Even the strongest passwords can be pointless if they are compromised.
So, what are you to do? It is simple! Keep your password private and understand that when you do change it (whether you feel it has been compromised or you are being forced to change it) remember the importance of staying away from any sort of pattern between the last password to your next.
MyGlue is a Password & Process Management system.
Imagine your employee handbook always up to date - or policy notices available to anyone you want at any time.
Resources:
Here is a strictly fun resource to test future passwords or simply see what a good password would look like. (We don't recommend entering any current password that you use into anything other than your login screen.)
Here is another resource that was created based around a leak of 10 million passwords of people in various fields. You can use it to find out what to avoid and how to create a strong password that will take centuries to crack.