Password Protection Alone Proves Problematic

Password Protection

For years the security industry has offered advice and guidance about how to keep accounts secure and the overwhelming advice is to use complex passwords and not use the same password across different online and user accounts. Many of us are probably guilty of using easy-to-remember passwords across multiple accounts and websites.

Whilst this isn’t a new problem, the issue is simply that once your password has been compromised by hackers on one site, they can also access your other online accounts, if you use the same password. In a 2014 global security report, weak passwords contributed to 31 percent of compromises that experts investigated. This demonstrates that users are still not using complex passwords to secure online accounts, whether for personal or business use.

Strong Passwords & Beyond

Passwords that were once thought to be complex enough to make cracking improbable are now able to be cracked in hours or days. This requires users and administrators to rethink how they create passwords and how users are educated about password security. One of the best things to do to make passwords harder to crack is to create a passphrase. The longer the phrase is the more impractical it becomes for an attacker to brute force. At the minimum, users should be creating passwords of at least eight characters and should include a combination of letters, numbers, and symbols.

In addition to creating stronger passwords, organisations have the opportunity to further increase their level of protection by adopting two-factor authentication. Two factor authentication can help prevent cyber-criminals from accessing online accounts, even if they are able to get hold of a username and password. Many social network sites have made two-factor authentication available to its users under “settings” and businesses should also deploy two factor authentication in case their employees continue to use weak passwords.

What Comes Next?

Outside of passwords and two-factor authentication, there are a number of steps that organisations can take to help improve their security posture which include educating their employees about how to create strong passwords and the value of complex passwords.

Usernames and passwords can provide the keys to the kingdom for attackers, and ensuring that organisations make it as hard as possible for hackers to get in that way is an important first step. Also, businesses should implement a layered approach to security beginning with a risk assessment to see where their valuable data lives and moves. They can then use this inventory of their databases, applications, networks, devices and endpoints to deploy protections around those vectors.

Businesses should also conduct frequent vulnerability scanning and penetration testing to help identify and remediate vulnerabilities before criminals exploit them. Finally, if businesses find they do not have enough manpower and skillsets to effectively make sure their security controls are installed, updated and working properly, they should augment their in-house IT staff by partnering with an outside team of security experts whose sole responsibility is to help protect their valuable data and stay ahead of the latest threats.

Karl Sigler

Karl Sigler is the Threat Intelligence Manager at Trustwave, where he is responsible for research and analysis of current vulnerabilities, malware, and threat trends.