In theory, we all know what makes a strong online password. Putting it into practice? That’s another story.
If we want to protect our corporate and personal information from hackers, our passwords should be unique, long and contain numerous different characters. They should be changed on a regular basis too.
But the process is inconvenient. So it should come as no surprise that most people—and most businesses—don’t do enough when it comes to password protection. In fact, according to a 2018 Verizon Data Breach Investigations Report, 81 percent of hacking-related breaches were the result of either stolen and/or weak passwords. 
So what are most companies and their employees doing wrong? In all likelihood, a number of things:
- Using an email address as the login username. For most people, a work email address isn’t a secret—if it’s not on the company website, it usually pops up in a quick Google search of a person’s name. And yet, most people use that easily-accessible email address as an almost universal login. This makes things super easy for hackers looking to penetrate your network because, before they even get started, they have half of your login credentials.
- Reusing passwords. Finding the perfect password—one that’s not only the right length, but also includes the ideal mix of characters and is easy to remember—is quite a feat. So it makes sense that once you find one, you reuse it—again and again and again. Maybe you tweak it slightly—by changing a number here, or a letter there. Either way, hackers love this type of behaviour because, if they crack the code once, chances are high they’ll be able to use that same code to access other accounts down the road.
- Foregoing personal password hygiene. Hackers know that if a person isn’t using strong passwords in their personal lives, they likely aren’t using them at work, either. So while cyber criminals may initially target individuals—say, by sending a phishing email to their personal computer and accessing the passwords stored in the browser of that computer—that information can quickly be used to access corporate information too.
- Saving passwords on their computer browser. We get it—when your computer browser offers to save your secure-but-hard-to-remember password, that’s one less thing for you to remember. The thing is, few of these programs, if any, are secure—and they’re extremely easy to hack.
Amping up your protection
Fortunately, there are ways to alleviate today’s very real password-related cyber risks, and they aren’t that difficult. The first? Stop using email addresses as usernames—full stop. Next? Invest in password protection software.
While there are a variety of password protection software solutions in the marketplace, they essentially function the same way. You just need to remember one good strong password to access the storage app. From there, the software itself can securely log you into all your other accounts. These apps also typically generate extremely secure passwords when you sign into new sites or launch new accounts—which can further alleviate the password burden. Keep in mind, though, that you get what you pay for—so it is worthwhile to do some research and consider spending a little more on apps that will significantly enhance your security posture, these applications may also become a target for hackers.
You also may want to consider implementing more secure login methods company-wide—such as two-factor authentication or biometrics. Two-factor authentication requires users to input a password plus another security element, such as a predetermined image or a security code sent by email or text. If you want to get really crazy, you could even go for three- or four-factor identification—but that would be more time consuming. Biometrics, on the other hand, use features like fingerprint and facial recognition software to confirm an individual’s identity. Again the tools that you use to accomplish this must be secure so scrimping with freeware is a false saving.
If you choose to stick with the password route, employees should be required to create new passwords every 30 days—and deterred from reusing old passwords or creating similar ones. Also, no solution is perfect on its own, so the more safeguards you integrate into your cybersecurity posture, the better off you’ll be.
Of course, these solutions do require effort to execute, which can be inconvenient. That said, today’s cyber criminals are poised and ready to infiltrate any company prone to password shortcuts. So, if you’re debating taking steps to strengthen your password protocol, ask yourself this: Which is more inconvenient—coming up with a new password every month or dealing with a cyber breach?
If you need help strengthening your organization’s password security—or any other area of your cybersecurity posture—don’t hesitate to reach out to your Grant Thornton advisor. We’d be happy to help.