30% of Security Breaches Are Caused by Poor Password Practices

Passwords can provide a very good level of security but many people are guilty of poor password practices. While there are now alternatives to passwords that provide a greater level of security, we are not yet at the stage when passwords can be retired and passwords are likely to remain the main method of securing accounts for some time to come.

GoodFirms decided to take a closer look at password practices people to identify some of the most common vulnerabilities, identify preventative measures that can be adopted to address those vulnerabilities and share best practices for password management that everyone can follow.

In its recent report, Top Password Strengths and Vulnerabilities: Threats, Preventive Measures, and Recoveries, GoodFirms explains that password vulnerabilities are still a critical issue and many people struggle with password management. Part of the problem is the sheer number of accounts that people need to create. Virtually every online service requires a user account, and each must be protected with a password, which means people need to set and remember several dozen passwords. It is therefore no surprise that many people take shortcuts, even though they greatly weaken security.

For the report, GoodFirms conducted an online survey and collected 210 responses from employees and cybersecurity professionals, with the analysis identifying some worrying statistics.

  • 30% of users say they have experienced a security breach as the result of setting a weak password
  • 35.7% of people write down passwords in planners, on paper, or use sticky notes
  • 45.7% of people reuse passwords on multiple accounts
  • 52.9% of people share passwords with others
  • 62.9% of people will only update their password when they are prompted to
  • 67.1% of people believe managing passwords for multiple accounts is not a waste of time
  • 88.6% of people use 2-factor authentication

One of the main issues is a lack of awareness of password best practices which can result in errors being made when creating passwords. Passwords are often created that are easy to remember, but that often means they are also often easy to guess. Some of the techniques used for creating strong passwords do not make passwords any harder to guess, such as substituting numbers for certain letters and many people are guilty of writing passwords down.

Using the same password for multiple accounts is one of the main security mistakes people make, compounded when a weak password is set. If a password is guessed, a hacker could use that password to access all accounts where it has been used.

People often fall for phishing attacks where even secure passwords provide no protection, as users are fooled into disclosing their passwords. Phishing attacks can be sophisticated and hard to spot, which is why 2-factor authentication is so important. 2-factor authentication means a second factor of authentication is required to access the account in addition to a password; however, 11.4% of people do not set up 2-factor authentication.

Businesses often fail to keep their systems and applications up to date and patched which allows hackers to bypass security controls. Many companies fail to provide training to employees on password best practices, and often do not require Virtual Private Networks (VPNs) to be used for remote access, which can leave them exposed to man-in-the-middle attacks.

When cybersecurity experts were asked about steps that can be taken to improve password practices, one of the most frequently recommended solutions was to use a password management system. Password management systems can be used to help employees follow password policies. They feature secure password generators that can be used to create strong, unique, virtually un-guessable passwords for all accounts and store those passwords securely. When the passwords need to be used they are autofilled, so they don’t need to be remembered. 70% of surveyed cybersecurity experts said they thought password managers are safe to use, and furthermore, many can be used free of charge. Even password managers with advanced security features are not expensive and can be purchased for $2-$3 a month or less. Bitwarden, for example, has a premium plan for consumers that is just $10 per year.

Other recommendations include:

  • Using a word-based approach to create strong, easy to remember passwords – use 3 random words or more to form a passphrase e.g. MotorcycleChimpGlasses
  • Only create accounts with trusted companies
  • Always use a VPN
  • Ensure passwords are salted and hashed when stored
  • Make sure 2-factor authentication is enabled
  • Implement a password lockout after a set number of failed attempts
  • Ensure long and complex passwords are set for RDP logins as they are commonly targeted
  • Ensure all software is kept up to date and patches are applied promptly

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news