Every now and then, we get to hear or read about a data breach in which the perpetrators used a highly advanced threat vector. Today’s post is not about any of such advanced mechanisms, rather a much simpler issue, which is weak passwords.
With our lives getting more and more digital each day, we may be needing numerous passwords. Now, setting complex passwords for each of your digital assets, and then remembering them all may not be humanly possible.
However, does this challenge justify us having passwords that are astonishingly obvious and easy to crack? Well, the answer to this question should certainly be in the negative. However, recently conducted studies depict a completely different picture.
NordPass Findings on Weak Passwords
Recently, a report titled “The misfortunate passwords of Fortune 500 companies” was released by password manager NordPass. The finding of this report on how most of us treat our passwords are a huge eye-opener.
Most interestingly, the data set used by the entity for its analysis was based on publicly available third party data on data breaches that impacted the Fortune 500 companies. It is estimated that nearly 15 million breaches were studied across 17 various sectors.
Here are a few alarming findings from analyzing this data:-
- Weak passwords are prevalent across the board, whether its retail, tech, energy, finance, IT and more.
- The word “password” itself was being used as the hottest favorite among weak passwords across multiple industries.
- Some other passwords making it to the top 10 list of most commonly used weak passwords were “12345”, “Hello123” and “sunshine”.
- Nearly 20% of the passwords either comprised the exact name of a certain company, or a slight variation of it at the most.
The Cost of Data Breaches
It is an established fact that weak passwords lead to data or security breaches, which then end up costing huge sums of money to the affected entity. But what is exactly is the total cost of a data breach for an enterprise? Let’s try to quantify this.
An IBM report has put the average global cost of a data breach at US $3.8 MN. If the breach pertains to healthcare, the same cost can quickly escalate to a whopping US $7.1 MN. USA is the costliest country in terms of data breach, where the average cost is US $8.6 MN.
These are mind boggling figures in itself and more than enough to de-rail a thriving business. But what about the non-quantifiable element of data breaches that come in the form of shattered stakeholder confidence and loss of reputation.
Now, let’s briefly discuss how to improve password strength and mitigate the chances of a data breach via this avenue.
Go for Strong Passwords
A strong password should comprise of at least 12 characters, which should include both upper and lower case letters, numbers and special characters as well. To make this easier, you can also use specialized password generator tools.
Don’t Re-Use Passwords
While its easier said than done, you need to avoid re-using the same password at multiple places. It is also equally important to keep changing or updating your passwords on a periodic basis. Try making it a part of your routine, like paying your bills.
As the name suggests, password managers can also prove to be a very helpful solution in keeping your passwords organized and all in one place. On a lighter note, remember not to have a weak password for your password manager itself.
Use MFA or SSO
In two factor (2FA) or multi factor authentication, you gain access on at least one additional attribute apart from your static password. This is a very effective solution, even if your static password has fallen into the wrong hands.
Single-Sign-On (SSO) is also another way of mitigating password related risks. This is more of a facilitation tool rather than a security solution, as it keeps your employees at bay from using bad password practices.
This post was all about a simple, yet very persistent issue in countless enterprises. Perhaps the immediate thing to do is sensitize your employees about the potential risks that having improper password practices entail. This will play a lead role in behavioral change.
Each valued reader of this post must immediately review the password practices in individual capacity as a starting point, and do the needful.