Passwords are used to prevent unauthorized access to accounts and data. While passwords can be effective, there are password security risks that need to be reduced to a low and acceptable level, otherwise, accounts and sensitive data could be extremely vulnerable to cyberattacks.
Password Security Risks
If everyone set a strong, unique, and suitably long password for every account, passwords would provide a good level of protection; however, users often take shortcuts with passwords, and if weak passwords are set they can be guessed incredibly quickly.
Using the latest GPUs, cracking weak passwords has become quick and easy. Even complex passwords with upper- and lower-case letters, numbers, and symbols can be cracked almost instantly if they are 6 characters or less, and for 8 characters it would take less than 40 minutes, according to Hive Systems. This is why a complex password that consists of 10+ characters is now recommended.
Passwords can easily be obtained by hackers. Phishing is used to trick people into disclosing their passwords, either by email, IM/SMS, or over the telephone. Malware can be installed that has keylogging capabilities, which can record keystrokes to obtain passwords. Malware is also used to steal passwords stored in browsers.
When data breaches occur at one company, the passwords obtained can be used to try to gain access to accounts on other platforms – termed keyword stuffing. Keyword stuffing attacks are made possible due to the practice of reusing passwords on multiple accounts.
Even the password resetting mechanisms that companies put in place to prevent account lockout when users forget their passwords can be abused by threat actors to obtain passwords to access accounts.
How to Reduce Password Security Risks
Phishing attacks on businesses are the most common method of gaining access to accounts. Phishing most commonly occurs via email, so a robust email security solution is required to prevent these emails from reaching inboxes. Phishing attacks usually also have a web component, where credentials are harvested. A web filter can provide protection against this aspect of phishing, preventing users from landing on websites that steal their credentials.
It is important to provide security awareness training to the workforce to ensure that all users are aware of the risks of phishing and are taught how to identify phishing attempts. Even with email security, web security, and training, passwords may still be obtained by unauthorized individuals, so multi-factor authentication should be used on accounts. If a password is stolen, multi-factor authentication can prevent that password from being used, as another form of authentication is required before account access is granted.
Training should also cover password security and cybersecurity best practices. Employees need to know what a strong password is and why it is important to create unique and complex passwords for all accounts. Password policies should be implemented and enforced that require strong passwords to be set for all accounts, including preventing commonly used (weak) passwords from being set and the use of dictionary words as passwords.
Unfortunately, creating long and complex passwords for all accounts is difficult and remembering those passwords is even more so unless shortcuts are taken. It is therefore recommended to provide a password manager to employees. Password managers allow strong, unique, and essentially unguessable passwords to be created for all accounts, and a password generator is included to make this as easy as possible. All passwords are then stored securely in an encrypted password vault. To improve security further still, choose a password manager that also allows unique usernames to be created – i.e., not the user’s primary email address – Bitwarden, for example, has this feature.
If you fail to address these common password security risks, your business could remain vulnerable to cyberattacks. Reducing password security risks is one of the easiest and most effective ways of improving your security posture.