2017 was littered with cyberattacks, hacks and data breaches. We witnessed the Petya/NotPetya attack that caused Chernobyl’s radiation levels to be monitored manually, to the NHS WannaCry attack that impacted over 7000 appointments, right through to Uber who paid $100,000 to the hackers to delete the breached data and keep quiet. 2018 has not yet been littered with huge scale attacks like last year – let’s hope it stays that way too!
The upside to these attacks is that it caused conversation about cybersecurity meaning businesses are taking measures to secure their IT systems and safeguard data.
One thing that is often overlooked when considering cybersecurity is the human element. Even the most robust IT infrastructure is susceptible to attacks if individuals using it have poor passwords.
In light of this, here are a few common mistakes to avoid and our top tips for secure passwords.
Eliminate common passwords
You shouldn’t use the most common passwords as these are the passwords that hackers will try in the first instance.* Believe it or not, ‘password’ and its many variations – ‘password1’, ‘pa$$w0rd’, ‘pa55word’ etc. – are still amongst the most used passwords.
The seasons are common as well making ‘Spring2018’, ‘Autumn17!’ and similar passwords off the cards. Passwords involving your company name are also very common and should be avoided – ‘Company1’, ‘C0mpany1!’ and ‘Company!’ for example.
Lastly, common password patterns should be eliminated too. 1 uppercase, 6 lowercase, 1 and/or ! is really common – ‘Bridget1’, ‘Bicycle1!’ for example – which means your password will be hacked quicker than if you avoided these.
Don’t use passwords for multiple accounts
One of the biggest mistakes businesses make is setting administration account passwords to be the same as user passwords. This means that if one password is cracked, the hacker than has access to multiple accounts.
The same applies to non-admin accounts too. Reusing passwords is bad practice because it simply isn’t secure.
We know that password length is more important than complexity. Using brute force (continual trial and error password attempts), a 7 character password can be cracked in an hour compared to a 10 character password which can take 6 years. Passphrases are particularly good because they’re longer and easier to remember than a standard password.
The key to a good passphrase is to have an assortment of words that you will remember but will be difficult for others to guess. For example, you might use a local road name, your favourite book title, or anything else that’s memorable for you. Keep it random though – avoid your name or the name of the account you’re logging into for example.
Sort your password policy
A company’s password policy has a big impact on password security. Most organisations have a password expiration period of 90 days or less. It seems counterintuitive, but we agree with the advice from the National Cyber Security Centre - this isn’t best practice. Password expiration policies tend to result in a ‘password1’, ‘password2’, ‘password3’ type pattern. These patterns are easy to guess and provide no additional security, thereby defeating the point of having password expiration.
We’d recommend dropping the password resets, having a higher character limit, and ensuring that it’s not a previously used password.
Use a password management tool
We use and recommend LastPass to manage passwords. With a management tool, users only have to remember one password – the master password for the management system. This will also avoid users using unsecure methods of password management such as writing down passwords, emailing them to themselves, or storing them in a word document.
Use a login monitoring system
A good password monitoring system allows you to see where and when successful and unsuccessful login attempts were made. This enables you to apply additional security to certain accounts for example. Office 365 has features that enable you to do this – you can present information from Azure AD Premium through a Power BI Dashboard for example. This will highlight where in the world login attempts are being made and for which accounts. Azure AD allows you to then block login attempts, reset passwords for accounts, and automatically block attempts from certain locations.
We’re able to set up and train users on LastPass, so give us a call if you’re interested, or would like any more information about secure passwords, Azure AD, or Power BI.
*According to research from SplashData, the following are 2017’s most common passwords, so definitely avoid these: 123456, Password, 12345678, qwerty, 12345, 123456789, letmein, 1234567, football, iloveyou