Data breaches, big hacks and subsequent data theft aren't new news, yet we continue to see breaches making the headlines almost daily, so naturally, we’re all becoming more and more concerned about data security.
Individually, many people now understand the importance of a strong password. Still, perhaps it is less well understood that weak passwords within a commercial organisation pose a significant risk to corporate data. Here’s why....
Firstly, you can easily check if your account has been compromised in a data breach. If any of your accounts have been compromised, and if the same passwords are used for home and work, this could pose a serious security threat.
For a hacker, exploiting weak passwords is a bread-and-butter first step to gain a foothold on a corporate network, from which they can further probe to seek more exploitable weaknesses.
A hacker's password-cracking capabilities are considerable! What's concerning is that trying to exploit weak or common-combination passwords is frequently successful (at least for our own ethical hackers performing a penetration test).
Not only would a hacker test common ‘weak’ password combinations (e.g., Password123; admin; 123456, etc.), but they would certainly also use lists of hacked usernames/passwords and packet sniffing to seek encrypted authentication requests, which can then be run through a list of known encrypted passwords (containing 10 billion+ passwords).
But we’ve all (or should have) read the advice on what constitutes a strong password and recommendations on policy. However, in reality, how can you easily remember a complex and (semi) unique password?
This simple secret is employed by many IT professionals to deconstruct the art of creating a strong, (semi-) unique password—and, importantly, one you can always easily remember.
Why? Besides what’s known as a “brute-force” attack, hackers can first try common password combinations (e.g. password01, Password123, Password1!, etc.). And even if an account is locked after 6 or 7 attempts, it still provides a significant opportunity to crack passwords across multiple corporate accounts.
And if there is no account lockout, why not upload an entire “dictionary” of words and phrases we know are commonly used—hundreds of thousands of entries in a text file?
So, we avoid anything that could be found in a dictionary, but how do you see something you can also easily remember, without needing an Enigma machine to help you?
Let’s take a well-known quote, for the sake of an example - “Life has no limitation, except the ones you make”. Take the first letter of each word from your favourite song or quote.
The highlighted letters are the first letters of each word: LHNLETOYM.
This is a nonsense phrase and isn’t a dictionary word, so it makes a great starting point for a password—and it's easy to remember.
It can be improved further by alternating upper and lowercase letters.
Again, this is simple to do and even to work out in the mind if necessary: LhNlEtOyM
One’s year of birth is commonly used. But now reverse your birth year, put it either at the start or the end of the password: 7791LhNlEtOyM OR LhNlEtOyM7791.
As it stands, this is a pretty good password. It’s a mixture of letters and numbers, with uppercase and lowercase characters thrown in. But it doesn’t stop there.
The last step is to add ‘special’ characters and customise the password for different uses/websites/applications because you shouldn’t reuse the same password for different accounts.
Password re-use is rife, making it easy to compromise your other accounts.
It doesn’t have to be a radical rethink for each account—simply inserting an @ sign plus an abbreviation to denote the website in question makes each password semi-unique.
So for Amazon, the password would become: LhNlEtOyM7791@AZ
For eBay, the password would become: LhNlEtOyM7791@EB
So there you go – a very strong password that you can figure out easily!
Now, the only dilemma is which song to choose next when you need to change it. We recommend changing it every 3-6 months.
We all understand the importance of a strong password. It’s the first line of defence in your organisation’s security, and should be taken as seriously as shielding your PIN at a cashpoint.
Regular Penetration Testing, sophisticated social engineering and in-depth user awareness training are all crucial parts of an ongoing cyber security assessment programme. Together, they’ll expose any weak links in your security defences, whether they be passwords, unpatched systems, misconfigured hardware or more.
Not only do you learn of your critical vulnerabilities, but you can also create actionable steps to improve your cyber security posture.
