With both data breaches and fines on the rise, workplace password security has become more critical than ever. We've some practical tips to help.
One of the most common causes of a security breach is weak passwords, with people often reusing them for multiple or all accounts. A survey conducted by Specops Software uncovered that 51.61% of respondents share their streaming site passwords, with 21.43% unsure whether those passwords get shared with other people.
People's attitude to password security is alarmingly lax, which can have costly repercussions for businesses. $1 trillion was lost to cybercrime in 2020, according to McAfee. An estimated five billion unique user credentials (e.g. username and password combinations) are available on the darknet to cybercriminals that can grant access to corporate networks or bank accounts.
How hackers steal passwords
a. Credential stuffing
describes when hackers test databases or lists of stolen credentials (i.e. passwords and user names) against multiple accounts to see if there's a match.
b. Phishing
is a social engineering trick which attempts to trick users into supplying their credentials to what they believe is a genuine request from a legitimate site or vendor.
c. Password spraying
is a technique that uses a list of commonly used passwords against a user account name, such as 123456, password123, 1qaz2wsx, letmein, batman and others.
d. Keylogging
is often a technique used in targeted attacks. Keyloggers record the strokes you type on the keyboard and can be a particularly effective means of obtaining credentials for bank accounts, crypto wallets and other logins with secure forms.
e. Brute force
uses trial-and-error to guess login info, encryption keys or find a hidden web page. Hackers work through all possible combinations hoping to guess correctly.
f. Local discovery
occurs when you write down or use your password somewhere where it can be seen in plain text.
g. Extortion
involves no subterfuge. Somebody demands you hand over your credentials, or they threaten you.
Ways to improve workplace password security
So what should your colleagues do to reduce this risk and ensure they keep their passwords safe?
1. Choose a strong and unique password
Aim for a minimum of 8 characters with numbers, letters and punctuation.
2. Avoid obvious passwords
Don't use easily guessed passwords like 1234, 4321, qwerty, password and password123. Avoid using words that can be found on social media accounts - for example, family names, pets, place of birth, school, favourite holiday, or something related to your sports team or hobby.
Do not use:
- Names or business names.
- Family members’ or pets’ names.
- Your own or family's birthdays.
- Favourite sports team or other words easily guessed by acquaintances
- The word ‘password’ or numerical sequences. A survey of data breaches showed "123456" was used as a password 23 million times!
- Single common dictionary words, such as ‘kitchens’, that programs can easily hack.
- Recycled passwords (e.g. Jon2, Jon3 etc.).
3. Keep passwords safe
Avoid writing them down, sharing them with others or using the same password across multiple sites. If you must write them down, make sure you use a code that is meaningless to others.
4. Change your password regularly
Especially if you think someone else knows it.
5. #thinkrandom
The UK government's cybersecurity campaign encourages the use of three random words (e.g. dogmoonpurple) broken up with numbers and characters to substitute for letters (e.g. D0gm00npu4p!e).
6. Use a random password generator
Or create a string of completely meaningless letters and symbols. One way of doing this is to take a random sentence or line from a song/poem, use the first letter of each word, and then add punctuation and numbers to mix it up.
7. Use password management software
Software like Dashlane, 1Password, KeePass, or Lastpass allows you to store all of your passwords behind one master password.
8. For added security, use 2-step factor authentication
If someone logs in from an unrecognised device, you're sent a code (by text or email), which you have to enter to verify it's really you.
9. Regularly check your email addresses
Use one of the many websites that check to see if your password has been compromised, such as Have I Been Pwned. If someone can access your email, it often means that they can easily reset other passwords.
Want to learn more about GDPR?
We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.
Written by: Emmeline de Chazal
Emmeline is an experienced digital editor and content marketing executive. She has a demonstrated history of working in both the education management and software industries. Emmeline has a degree in business science and her skillset includes Search Engine Optimisation (SEO) and digital marketing analytics. She is passionate about education and utilising her skills to encourage greater access to e-learning.
