Cybersecurity is an important aspect all companies need to consider and assess. Passwords remain the first line of defense in preventing hackers from accessing data.
Companies must establish robust cybersecurity policies, including helping their employees to improve their password protection hygiene, in order to protect themselves from digital attacks.
Luckily, there are several strategies companies can implement to help protect their organization.
Techniques Used By Hackers To Steal Passwords
Hackers are able to steal passwords using a range of techniques. One of the most common strategies used by hackers today is phishing.
This is a social engineering trick in which hackers try to trick users into sharing their credentials by posing as a legitimate site or vendor.
Another common approach used by hackers is to test databases or existing lists of stolen credentials against multiple accounts, in a practice known as credential stuffing.
If they are successful in finding a match, they can then easily hack into users’ other accounts.
Similarly, many hackers also use a simple brute force approach. This involves using a more focused trial and error approach to guess a user’s login information, as well as encryption keys or even finding hidden web pages.
By working systematically through all the possible combinations, hackers are able to eventually guess the correct password.
Hackers also use a technique called keylogging to steal passwords. This approach tends to be used in more targeted attacks and involves hackers recording the strokes that a user types on their keyboard.
It’s an approach that has proven fairly effective for acquiring users’ credentials for crypto wallets and bank accounts, as well as for logins which use secure forms.
Many people tend to use very common passwords. Some predictable passwords and patterns, including “1234567”, “qwerty” and even variations of “password”, have been reported by many people as being some of the most popular password choices.
Unfortunately, this makes password spraying a particularly effective technique for many hackers.
Password spraying is when hackers test a list of commonly used passwords against a user’s account name until they find a match.
Two further techniques used by hackers are local discovery and extortion. Local discovery happens when a user writes down their password in a place where it can be seen as plain text, making it very easy for it to be stolen.
Extortion is more direct and involves hackers demanding that users hand over their credentials, often threatening them if they fail to comply.
5 Tips To Improve Password Security In The Workplace
All organizations can boost password security using only a few simple strategies:
- Ensure all employees create robust passwords that have a minimum of 8 (but preferably 14) characters, which are a mixture of letter cases, numbers, and special characters.
- Avoid using predictable passwords. This includes any words that can be easily discovered on social media, including the names of pets or family members, place of birth, or school.
- Use passphrases instead of passwords. These tend to be easy to remember, meet character criteria requirements, and are often harder to be guessed during brute force attacks.
- Encourage employees to use a random password generator to create new passwords which are more complex and harder to guess.
- Establish and implement password audits. This will help to track whether employees are complying with your company’s password security policy, as well as highlight any weak access points.
The Dangers Of Phishing Emails
Many people are still unfamiliar and less well-educated when it comes to phishing emails.
This is usually due to the fact that hackers often pose as a recognized voice of authority, such as a bank or government department, meaning that many people are less likely to suspect that the email is in any way fraudulent.
With phishing emails, hackers first begin by posing as a recognized company or department and then demand sensitive personal information, including login credentials, from their victim.
Sometimes these credentials are demanded outright in the email, whilst in other variations, victims are redirected to fraudulent login forms.
Although these forms appear to be genuine and have the appearance of a real website, they are in fact just a tool designed by hackers to capture and steal people’s passwords and usernames.
Businesses should ensure that staff is appropriately educated about this and encourage all employees to always double-check the source of the email.
If you work in the tech industry and think your employees are well aware of phishing scams, think again. Recent research suggests employees in the technology industry were the most likely to click on links in phishing emails, with nearly half of respondents (47%) admitting they had done so, closely followed by employees in banking and finance (45%). This could be explained by expectations to respond quickly to emails and not paying attention, so try not to assume that some departments do not need security and privacy training.
“If the email has been sent by an administrator or a higher-ranking individual at the company, employees should be encouraged to contact the person directly and confirm whether the email was authentic or not,” says Heather Turnbow, a tech blogger at Australia 2 write and Brit Student.
“On the whole, real administrators have access to accounts without ever having to ask the user for their login details, so it would be highly unlikely that they would ever ask in the first place. Under no circumstances should employees ever proceed in following the directions in such emails without first double-checking.”
Data Wiping For All Old IT Equipment When Discharged
When companies discharge old IT equipment, it’s customary to delete all the data on the IT equipment first.
However, in order to ensure that old IT equipment is actually safe and that no data remains, companies need to ensure that they actually conduct a full data wipe.
However, data wiping requires the use of either specialized software or else to be conducted by a hired professional.
Prompt Employees To Regularly Change Passwords
One of the key strategies that all workplaces should be implementing to ensure that they promote enhanced password security, is to ensure that passwords are changed regularly.
In addition to requiring that passwords be a minimum length and a mix of numbers, symbols, and letter cases, businesses also need to ensure that these are changed regularly. Ideally, passwords should be changed every 90 days and every 180 days for passphrases.
As well as avoiding common or predictable passwords, workplaces should prompt employees to regularly change their passwords. Additionally, they should restrict password reuse.
For example, companies can set a minimum (for example, the previous five passwords) which cannot be reused to avoid predictability.
Similarly, there should a minimum and maximum password age limit. For instance, passwords should be held for three to seven days, to prevent employees from simply reverting back to an old password.
Implement Two-Step Authentication
Two-step authentication requires that a user or employee use an additional device or verification point in order to validate their credentials.
This helps to confirm that it is actually the real employee that is trying to login and use the valid password on record. This is also important if there is any attempt to login from an unrecognized device.
Usually, the employee will be prompted to enter a code, sent by email or text, to verify that it was in fact they who attempted to login.
Successful login can only be granted once the second verification step has been successfully completed.
“Some companies also use multi-factor authentication (MFA) apps, which generate a one-time password known as a token, which expires after 30 seconds.This ensures that even if hackers are able to correctly guess the password, they don’t have sufficient time to correctly guess the token before it expires,” says Wesley Hodges, a security writer at Origin Writings and Write my X.
Implementing A Robust Password Security Policy In The Workplace
It’s crucial that all employees are trained effectively when it comes to password security. As well as ensuring that existing employees receive training, it should also be a mandatory part of the onboarding process of new employees.
Cybersecurity training should be focused and provide employees with information on how to strengthen their passwords and protect data from being leaked or accessed by anyone other than themselves.
Additionally, they should also be informed about the risks associated with accessing company data, including schedules and training materials, on both company and personal devices.
Using a range of techniques to boost password complexity and security can however mean that it’s harder to remember unique, complex passphrases or passwords for all the relevant portals.
In such cases, companies can benefit from investing in electronic password managers.
These are able to store the passwords for each user, for all of their websites. It also enables automatic, yet safe, logins.
The passwords are all encrypted in a virtual vault, which can only be accessed using a master password. Users only need to remember the master password, in order to be able to access all other logins, making logins much more secure.
It’s essential that companies provide training for employees so that everyone is aware of the dangers and understands their personal, as well as collective, responsibility for keeping their passwords safe and secure.
Kendra Beckley is an experienced business development manager and editor at Write my personal statement and Thesis writing service. She specializes in supporting companies as they seek to enter new business markets and is especially successful at building long-term relationships with partners. Kendra also enjoys writing articles on a variety of topics for Nextcoursework. In her spare time, Kendra enjoys staying up to date with the latest business and technology developments.