CHAPTER 2: Your IT Security is only as strong as your weakest link
Your business likely has cybersecurity software in place to protect it from a cyberattack or ransomware shutdown – but what if a member of staff is using a password that would allow your network to be hacked in milliseconds?
Your IT Security strategy is only as strong as its weakest link, and in many cases, this can be as simple as staff using a common password. How can you ensure your employees are not inadvertently putting your business at risk from cybercriminals and ransomware attacks?
Theft of your confidential client, customer or service data will instantly cause endless problems for your organisation. For a start, there are legal GDPR data breach issues to contend with, plus the damage to your business reputation and the impact this would cause.
Our article provides expert advice to ensure there a no weak links in your IT Security strategy. Learn:
- What are the Top 10 most common UK passwords?
- 9 methods used by cybercriminals to steal passwords
- The best way to easily create strong, secure passwords
World Password Day is an international event created to help people remember the importance of strong passwords. On this day, it’s an opportunity to update your passwords and make them more secure.
In today’s digital world, we store a vast amount of personal and sensitive business information online, securing our accounts and data with strong passwords is of utmost importance. This is why World Password Day is held on the first Thursday of May each year, to raise awareness about the importance of strong passwords for IT Security.
What is a Password?
A password is a piece of information used to prove your identity. It’s usually presented as an alphanumeric string, such as “1T53cUr1Ty1” or “Annoying_Old_Laptop”. While fingerprint and facial recognition security is available to access the latest devices, passwords are still commonly required for endless IT and online activities – to log in to and access computers, email accounts, banking and online subscription services.
Why are Passwords Important?
Passwords are important because they protect our accounts and sensitive data from unauthorised access. Cyber threats such as hacking, phishing, and identity theft are on the rise as more people carry out daily tasks on the internet, like digital communication and online banking. Cybercriminals use sophisticated methods to crack weak passwords and gain access to user accounts, leading to data breaches and financial losses.
Fraudsters can use complex and manipulative social engineering tactics, where they pretend to be family members in distress or even a romantic interest in need of money. They can also use specifically developed software to try and log into your account on mass, using popular weak passwords that people are known to use online. This is known as a “Brute Force Attack”.
What is a Weak Password?
A weak password is one that can be easily guessed, cracked, or hacked. Weak passwords are often overly simple, easy to remember and therefore not very secure. If you opt to use a weak password, you are potentially offering hackers access to the sensitive information you store online. This can range from personal information on your social media accounts to sensitive business information or online banking details. All of which can become a nightmare if compromised.
Examples of weak passwords include:
- Your name or the name of your pets
- The same word repeated or with numeric sequences (such as 1234)
- A common word such as ‘password’ or ‘hello’
- A generic password used across multiple online accounts
A recent survey of the most popular UK passwords in 2022 highlighted some particularly weak passwords based on their popularity and the speed taken to crack them (the weakest takes less than a second). Consistently at the top of the common password charts is ‘password’, followed by variations of the word password, numbers and football teams.
Top 10 Most Common UK Passwords
This latest most common UK password data shows that despite growing cybersecurity awareness, old habits die hard. Sourced from https://nordpass.com/most-common-passwords-list/
How Do Cybercriminals Figure Out Weak Passwords?
Attackers use many techniques to discover passwords. They search for weaknesses in network security and use social engineering and technical attacks (such as system hacking). These include:
- Tricking online users into revealing their private password through social engineering scams, such as phishing or spoof calls.
- Using passwords leaked during a data breach to try to access other accounts where the same passwords may have been used.
- ‘Password Spraying’ or guessing commonly used passwords on user accounts.
- Brute force attacks using software to submit thousands of passwords per second, until this is successfully guessed.
- Theft of password files on mass via a company hack or malware attack.
- Installing keylogging software to track information typed into a device.
- Finding passwords which have been stored insecurely offline – such as written down near to a user’s computer.
- ‘Shoulder Surfing’ or someone physically watching a user enter a password.
- Criminals stealing data through fraudulent employment within a large organisation.
Most of these techniques and the tools needed to apply them are widely available, requiring only limited technical skills to set them up. They also show the extensive measures some individuals will take to access your password data.
How to Create a Strong Password
There are several steps you can take to really make sure that your password is strong and therefore difficult for online criminals to work out or crack using software. These include:
- Make your password as long as possible. The longer the password, the stronger it is.
- Use a combination of letters and numbers. This makes it harder for hackers to guess your password by brute force methods like trying every combination of letters and numbers until they get it right (also known as “Dictionary Attacks”).
- Avoid personal information like birthdays or pet names in your passwords. If someone gets access to this information from another source, they could use it as part of their attempt at guessing your password.
- Don’t reuse old passwords on multiple sites/services, even if they’re different services from each other so that no one else knows what those passwords are. Reusing old passwords increases risk because if someone figures one out, then they may have access to all your other accounts too.
There are many tools online which can automatically generate strong passwords for both individual and business users. Many websites also include a password strength indicator when creating an account, designed to encourage users to create something nice and secure.
Best Password Practice
The UK National Cyber Security Centre offers guidance to businesses on how to implement a safe and effective password policy, designed to protect both your sensitive business information and customer data. NCSC content and advice is frequently updated to help you keep up with the latest threats posed by cybercriminals and techniques to keep your business cyber secure.
NCSC guidance is detailed, so we’ve collated some important takeaway points which you can quickly implement to improve your overall password security.
Three Random Words – A Recipe for Strong Passwords
Password complexity is at the heart of creating a good, strong password which is more difficult to compromise. However, for most people this usually involves trying to memorise a long string or random numbers, letters, and special characters – which we all know is extremely difficult!
The NCSC recommended Three Random Words approach is designed to make sure that you can easily create a password that is long, strong, difficult to crack and easy to memorise. There are several online tools which can be used to generate three random words.
‘Three Random Words’ password examples:
Even with Three Random Words, it’s still worth testing the strength of your password as some word combinations can be weaker than others. For example, your three words should indeed be random and not make up a recognised phrase, and you should still avoid using generic words like ‘password’ in your combinations. Where services require, you can still replace a couple of letters with numbers. This won’t necessarily make your password more secure (hackers are well aware of this trick) but it is necessary for some sites.
For more information, read this article from NCSC: The Logic Behind Three Ransom Words
Multi-Factor Authentication (MFA)
Multi-Factor Authentication (or Two Step Verification – 2SV) is the use of more than one step to verify a user’s identity. This contrasts with single-factor authentication, which only requires one piece of information (like a password) to verify your identity. Multi-Factor Authentication can be implemented in many ways and you’re likely already using it on your online accounts. For example:
- When you log into your bank account online, they will ask for both your username and password, as well as some other piece of information from you such as a PIN code sent via text message or phone call before granting access to their site.
- If you sign into your cloud storage platform via a new device, you’ll be sent a text or email asking you to confirm your identity by entering a short-term use code.
Single Sign-On (SSO) Systems
A single sign-on (SSO) system is a method of authentication that allows users to access multiple applications or services with just one set of login credentials. This means that users don’t have to remember different usernames and passwords for each application or service they use. Instead, they can authenticate once to gain access across all the applications and services that they are authorised to use.
SSO systems can help reduce the risk of password-related security risks such as phishing attacks. They are widely used in enterprise environments where employees need to access multiple applications and services to perform their job duties securely, sometimes across several office locations. For example, if you log in to a Google service such as Gmail or Google Docs, you are automatically authenticated to access YouTube, AdSense, Google Analytics, and other Google apps.
Using Password Managers
A password manager is a software application that helps you create, store, and manage all your passwords in one place. The benefit of using a password manager is that it will automatically log you into all online accounts without having to remember any of the individual passwords.
There are many different types of password managers available, some are free while others cost money as a subscription. Paid services usually offer additional security features such as two-factor authentication or biometric identification through fingerprint scanners or facial recognition software – a great layer of extra protection.
Should I Store Passwords in My Web Browser?
It is generally not recommended to store passwords in a web browser like Google Chrome or Mozilla Firefox, as it can pose a security risk. Although modern web browsers have encryption and other security measures in place to protect stored passwords, they can still be circumvented by determined cybercriminals.
If someone gains unauthorised access to your computer or device, they may be able to access your stored passwords through the web browser. Additionally, if your web browser is compromised by malware or a phishing attack, your stored passwords could also be stolen.
Instead, it is recommended that you use a dedicated password manager tool that is specifically designed for securely storing and managing passwords. These tools use more advanced encryption and security measures to protect your sensitive information.
Protecting Your Accounts
To protect your business, it’s important your employees follow best practices for account security. This includes:
- Using Three Ransom Words to create strong passwords – and ensure all your employees do the same!
- Ensure a different password is used for each login account
- Passwords are saved to a recommended Password Manager (so you don’t need to remember them all!)
- Staying aware of phishing attempts and avoiding clicking links in emails from unknown senders
For more information, read this article from NCSC: Phishing attacks: defending your organisation
If you suspect any suspicious activity on your accounts or devices, contact us immediately so we can help diagnose any problems.
Protecting Your Devices
You can protect your personal devices by using strong passwords, updating software, and keeping your laptop, phone and computer up to date.
It’s important to know what suspicious activity looks like. If you notice any suspicious activity on any of your accounts (like unusual logins from unknown locations), change all your associated passwords immediately.
World Password Day Advice in Summary
This article has been a brief overview of how to sharpen up your password security, as part of our nod to the importance of International World Password Day. It’s up to you to act and make sure your IT Security is only as strong as your weakest link! If you have any questions or comments, please feel free to talk to our expert IT security team.