How hackers can guess your passwords and what you can do about it.
Chances are that a hacker can easily guess one of your employee’s passwords. It’s actually easy to do. Here’s how.
Forget what you’ve seen on TV or in movies. Hackers don’t have to do brilliant things to get into your systems. They don’t need big calculations, psychologic genius or devices under the desk that relay your password to a remote user. Why bother when it’s so easy to get your passwords by a quick guess.
You have certainly heard of this year’s hack of Equifax – the company that stores almost everyone’s key financial data. The hackers used a simple technical exploit to get into the Equifax system. That could have easily been avoided by keeping their software up to date.
But what you might have missed was a second Equifax hack that happened with their servers in South America. The hackers got in by guessing the password of a key server. What was it? It was “password”. Yes. That simple.
Year after year we see lists of the most popular passwords. A recent list of the top ten went like this:
You can see why hackers don’t have to be geniuses to get a password to get into your system.
In the old days when you needed the physical computer on premises to get into the system, these passwords were an annoying weakness. In the days when your key corporate systems exist are almost always connected to the internet, this is a crucial exposure.
If you haven’t addressed it, it’s happening in your company if you have more than two people working for you. Someone has a simple and easy to guess the password.
So what do you do about it?
Why do people have simple passwords? They have them so they can remember them. They see these lists of numbers and symbols and think that they can never remember that. Or in some cases, companies insist that users change their passwords regularly. So people come up with simple to remember passwords like OCT123 and NOV123. Again, easy to guess.
In fact, hackers don’t even have to remember all the easy to guess passwords. They can download the lists and programs that will automatically try them til they get a winner. They try your corporate systems or they test out your employees’ social media accounts where many employees use the same passwords for Facebook or Linked In as they do for their company accounts – and sometimes for their banking and credit as well.
Make it stop – it’s easier than you think
Teach your employees that they need to have different passwords for their personal and corporate passwords. Social media passwords must never be used in corporate systems.
- You don’t need a list of characters that you can’t remember. Experts say that two unrelated words with unpredictable capitalization and a few unusual characters can create a strong enough password to at least make hacking more challenging.
For example – I might have used (but no longer use) Bad Yellow 29 or bAdyeLLow29
Two words and the number 29. Easy to remember.
- We also recommend only changing your passwords when there is a threat or you feel that could have been compromised. Doing it weekly or monthly is not necessary if it only leads to easy to guess passwords.
- If you have a system that is so critical that you feel you need an absolutely unguessable password use a password generator like LastPass to generate and remember the passwords for you. You can have unique passwords for all systems, but you will need one really good password to get into your password system
Your browser can remember passwords for you and they are encrypted – but there have been some exploited weaknesses in browsers that could lead to a password being revealed. We don’t use this method of remembering passwords, nor do we recommend it.
How to get the message out?
By all means have a clear policy:
- No easy to guess passwords
- No use of social media and personal passwords on corporate systems
- Use only approved password generators and programs
- Never give out your password to ANYONE under any circumstances.
On this last point, even when our staff have to fix something on an employee machine that requires a password, they are required to have a separate admin account for service or let the employee type it in and never to watch them. We take this very seriously.
Policies are good, but the best method of having better passwords is to educate your employees. We helped to create this video produced by the Amazing Agency (amazingagency.ca) to have a humorous way to raise the issue of password security.
Why not use it at your next staff meeting? Or send it out to your employees. Then have a discussion with them.
We are here to help
Have questions? You can read our blogs at performance advantage.ca to get more information. Or download our white paper “A Practical Guide to Security”.