Password Security: Do’s & Don’ts

Low-Security Account Credentials

Although it should be common sense, employees need to avoid the use of passwords that are easy for hackers to guess. Among the top ten worst passwords according to http://www.splashdata.com are those that use a series of numbers in numerical order, such as <123456>. The names of popular sports such as <football> and <baseball> are also on the list as are quirky passwords such as <qwerty> and even the word <password> itself.

Emphasis should also be placed on the importance of avoiding common usernames. In analysis conducted by the information security firm Rapid7, hackers most often prey upon these 10 usernames in particular:

Username
Administrator
Administrator
user1
Admin
Alex
Pos
Demo
db2admin
SQL

How Attackers Exploit Weak Passwords to Obtain Access

While most websites don’t store actual username passwords, they do store a password hash for each username. A password hash is a form of encryption, but cybercriminals can sometimes use the password hash to reverse engineer the password. When passwords are weak, it's easier to break the password hash.

Here is a list of common word mutations hackers use to identify passwords if they feel they already have a general idea of what the password might be:

Capitalizing the first letter of a word
Checking all combinations of upper/lowercase for words
Inserting a number randomly in the word
Placing numbers at the beginning and the end of words
Putting the same pattern at both ends, such as <foobar>
Replacing letters like <o> and <l> with numbers like <0> and <1>
Punctuating the ends of words, such as adding an exclamation mark <!>
Duplicating the first letter or all the letters in a word
Combining two words together
Adding punctuation or spaces between the words
Inserting <@> in place of <a>

Educating end users on these tactics underscores the importance of creating long passwords (at least 12 characters) and applying multiple deviations, rather than something simple like just capitalizing the first letter.

Nine Tips to Strengthen Password Security

Change passwords at least every three months for non-administrative users and 45-60 days for admin accounts.
Use different passwords for each login credential.
Avoid generic accounts and shared passwords.
Conduct audits periodically to identify weak/duplicate passwords and change as necessary.
Pick challenging passwords that include a combination of letters (upper and lower case), numbers and special characters (e.g. <$>, <%> and <&>).
Avoid personal information such as birth dates, pet names, and
Use passwords or passphrases of 12+ characters.
Use a Password Manager such as LastPass where users need just one master password.
Don’t use a browser’s auto-fill function for passwords.

An advanced and under-used password security tip to consider is two-factor authentication, which is a way for websites to double confirm an end user’s identity. After the end user successfully logs in, they receive a text message with a passcode to then input to authenticate their ID.

This approach makes sure that end users not only know their passwords but also have access to their own phone. Two-factor authentication works well because cybercriminals rarely steal an end user’s password and phone at the same time. Leading banks and financial institutions enable two-factor authentication by default, but if not, the service can often be turned on by asking the website to do so. More and more non-financial websites are now offering two-factor authentication as well.

Information Security: Businesses Need IT, We Can Provide IT

Due to the quickly evolving cybersecurity landscape, many small & medium businesses lack the ability to keep up and are ill-prepared for the threats that exist today. Below are the percentage of organizations that don’t have the following threat detection tools and processes in place.

Small & medium sized businesses can look to partner with Ray Morgan Company to bridge this skills gap and gain access to the expertise needed to stay protected. We are here to support your business 24x7x365 to ensure that no matter what type of threat enters your network, we can help keep your business secure.