Are weak passwords making your company data vulnerable? According to a 2021 research study by GoodFirms, weak passwords are the cause of 30% of online data breaches. Another study, conducted by Verizon, puts that number even higher, finding that 80% of data breaches were caused by weak or reused passwords. Two of the more infamous data breaches caused by bad password management were a Florida water treatment plant that suffered a computer breach last year because several employees shared a single password and SolarWinds where an employee used the extremely easy to hack password “solarwinds123” to protect a secure server. The reality is that good password management can be tiring, arduous, and complicated when you need to secure dozens of online logins. Fortunately, there are some password management best practices and password alternatives that can make securing your company data a lot easier.
Anatomy of a Bad Password
Before we explore good password management (and password alternatives) let’s examine the main qualities of a password that’s too weak to keep out hackers.
- A password that’s easy to remember and easy to guess.
- Less than 8 characters.
- Includes no special characters (e.g., $#@% ).
- It has been used more than 17 consecutive times.
- Secures more than a single login (e.g., using the same password for all your social media accounts).
- Includes the names of close family members, friends, and pets.
- Uses words in a dictionary.
Now, raise your hand if you’ve been guilty of creating a bad or weak password. I’m sure everyone has been guilty of this at least once. Fortunately, there’s an easy way to improve your password management skills.
Good Password Creation
Let’s start with the basics of how to create a password that’s difficult to hack. Below are 7 qualities of a strong password.
- Use a unique password for every account. Hint: Changing a character or two doesn’t make it unique enough.
- Create a password that is at least 12 characters.
- Include upper and lowercase letters.
- Include numbers.
- Use special symbols (e.g., $#@&) as part of your password.
- Use letter combinations not found in a dictionary.
- Change your passwords every 3 months.
Bonus Tip: If you’re crafting a cybersecurity strategy for your company, make good password generation automatic by using systems that force employees to practice good password creation habits. This might include requiring employees to create passwords that are at least 12 characters long and not allowing them to use a password for more than 3 months.
The vast majority of people aren’t aware of these password creation best practices so they’re vulnerable to data breaches which means any company they work for is also vulnerable. The truth is that most people (as in 100% of the people), want to use passwords that are easy to remember because it’s impossible to remember 30 unique passwords for 30 different logins. That’s where password managers come in.
A password manager is a secure application that can generate and recall passwords on command. When you use a password manager you only need to remember a single password: One strong password used to access the password manager account. According to a 2022 Google survey, only 25% of Americans use password managers. Since there are so few people using password managers, here’s a video to help you better understand how password managers work.
A short explainer about password managers.
While there are many benefits to using a password managers, it’s important to consider the drawbacks. Let’s take a look at some of the cons of using this technology:
- All passwords are in one place making them vulnerable to hackers if they can hack your password manager account.
- Not all password managers have a backup process so if their server goes down you could lose access to all of your passwords.
- Some password managers are lack high enough security so you will need to do your own research to find out which are the best for your needs.
Hint: If you use a free password manager, you may quite literally get what you bad for.
If you’ve found a secure password manager that works for your needs, this is only the first step in protecting your data from hackers. If you want to double down on your data security, consider adding two-factor authentication and biometrics.
Two-Factor Authentication (2FA)
You’ve probably noticed that most sites now require you to provide pin numbers, security questions, or a mobile phone in addition to a password. Some sites even require you to download additional software that will generate a one-time passcode every time your log into your account. This is part of the two-factor authentication setup. Websites that use two-factor authentication, utilize two security protocols before allowing you to access your account. For example: You might need to provide your password and at six-digit passcode that will be texted your mobile phone. Or, you might need to provide your password and the answer to security questions you setup when you first opened your account.
Using two-factor authentication can add another layer of protection to your accounts and reduce the chance of a data breach but it’s not a perfect solution. According to the FBI, some hackers are bypassing two-factor authentication by creating fake websites (e.g., mimicking a bank account login page) to trick accountholders into sharing their password. And other hackers have spoofed IP addresses to bypass a login page.
What many cybersecurity experts are discovering is that passwords in general are becoming less effective against hackers. The solution? Some companies are turning to biometrics.
Biometrics: An Alternative (Or Enhancement) To Passwords
Using biometrics in addition to or as a replacement for passwords isn’t exactly new. Many people use their thumbprint to access their mobile phone while others use facial or voice recognition. And in a survey of 1,000 Americans, over 80% of them said they were familiar with biometrics and 65% of them said that they thought biometrics were easier to use than passwords. So, how are some companies using biometrics as part of their security toolkit?
- McDonalds used biometrics (fingerprint and hand scans) to track when employees clocked in and out of the workplace and to monitor who accessed the cash registers. However, they did face a class action lawsuit because they failed to inform employees that they would store their biometric data.
- Amazon’s Whole Foods is allowing customers to pay for purchases by scanning their palms.
- Mastercard is allowing some customers to pay for purchases with a smile or a wave of their hand.
- And some businesses that are increasingly dependent on remote workers are using biometrics to help employees avoid exposing passwords while working in public places or using shared Wi-Fi.
But for those companies that want to experiment with including biometrics as part of their cybersecurity strategy, there are a few ground rules they should follow.
- Obtain employees’ written and informed consent before collecting biometric data.
- Educate employees about how their biometrics will be used.
- Work with certified and vetted vendors who will protect the confidentiality of employees’ biometric data.
- Never sell your employees’ biometric data and don’t work with vendors who would sell that data.
As you explore new ways to secure your company data using passwords, biometrics, and whatever new technology is developed in the coming years, be sure to investigate the efficacy of that technology and the legal restrictions around using it.