ADVICE FOR BUSINESSES
“Last year, our security team leaked a fake profile onto the Dark Web to show just how quickly phished credentials can spread. Within a month, the fake employee’s credentials had been viewed over 1,400 times and there were multiple successful login attempts into the phished account. The number of large-scale data breaches and the fact that users regularly re-use passwords is a real issue for businesses today. Against this background, static passwords simply cannot provide effective corporate protection. Businesses are now turning to a range of dynamic authentication methods that can analyse baseline user activity to detect potential intrusions, suspicious behaviours, and anomalous actions. It is essential that this approach to user authentication can extend to all cloud applications too. For example, if a user logs into Office 365 from the UK and then shortly after logs into Salesforce from Germany, this should be flagged as anomalous activity. The IT teams should be notified and the user should be asked to re-authenticate.” – Anurag Kahol, CTO at Bitglass
“Companies have a responsibility to keep data secure and a big part of that responsibility is stamping out employee’s bad password habits. This starts with educating staff about what makes a really good password and giving them advice about how to keep their accounts secure, by using unique passwords across all accounts and regularly changing them. This includes encouraging employees to use completely different passwords for their personal and professional accounts. There are plenty of free tools such as password managers that can help create and store different credentials for each account. Even if employees pledge to change just one or two of passwords each day, they will be improving the security of the company as well as their own personal security. Companies also need to educate employees about the benefits of multi-factor authentication, as this will prevent an attacker from logging into an account using compromised credentials.” – Thomas Fischer, threat researcher and security advocate at Digital Guardian
“This day presents the ideal opportunity for businesses to reevaluate their current password strategy as well as their overall data protection. Not only should passwords be strong, complex and regularly reviewed to maintain their security, but an additional layer – known as two factor authentication – can deliver a significant increase in system safety. To have full piece of mind, organisations should also look to encrypt data so that if the worst were to happen and sensitive information was compromised, it would be unreadable to the person who tried to access it. Working with an MSP who can provide these services as part of a wider security offering means that not only password strategy is rock–solid, but their overall approach to security benefits from dedicated, expert management.” – Jon Lucas, Director at Hyve Managed Hosting
ADVICE FOR CONSUMERS
“For the last two years, “123456” has topped the list for both the most easy-to-crack and most commonly used password. This is a worrying stat, especially when you consider that many people re-use the same password across multiple different accounts. We must wake up to the dangers of poor password habits. Having the same password for all your accounts is like having a master key that fits any door – it’s convenient for you, but extremely dangerous if that key gets into the wrong hands. If a hacker managed to crack one password, they could use it to hijack an email account, steal personal data and even target your family, friends and work. The most commonly used method for this is a phishing attack, where the hacker sends fake emails from your real account, pretending to be you.
Thankfully, there are lots of tools and tips out there to help you stop this happening. Use a different password for each of your online accounts. Worried about remembering all of them? Consider using a password manager. There are a number of easy-to-use password apps out there, many of which are free. Make sure your passwords are unique and complex to ensure that hackers cannot guess them. If you’re notified that your account has been comprised, change your password immediately. Lastly, where possible, enable multi-factor authentication. Popular websites like Facebook, Gmail and Skype all offer this service.” – Thomas Fischer, threat researcher and security advocate at Digital Guardian
“There are two bad password habits that we should all aim to improve. First, many people are guilty of using the same password on work accounts as they do on their personal ones such as banking and social media. Using the same password is a really bad idea, as one breach on any of these sites can have a domino effect on all other logins. Using the same or even similar passwords at work can add a multiplier to that domino effect, by putting an entire company network at risk. We must create unique passwords for accounts, especially those at work.
Second, hackers are known to use something called a “brute-force attack”, where they use a computer program to systematically check many combinations of common words and numbers, to guess a password. This means that the shorter and simpler a password is, the easier it is to crack using a brute-force. By using a longer, more complex “passphrase” instead of a password, we can make it exponentially harder for hackers to break. If a password takes too long to crack, hackers will simply move onto the next batch.” – Eduard Meelhuysen, Head of EMEA at Bitglass
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.