Passwords are the most common way to authenticate access. At home, on the job, and using social networks, applications require passwords. As the systems you log into increase, you assume greater risk. This is true for one reason. Most passwords are weak and in all likelihood, you use them. With enterprise security, users are vulnerability. They can also become a deterrent.
In reusing passwords, you put yourself and an organization at risk. You make an enterprise security breach easier. You increase your likelihood of identity theft. Since 2011, SplashData publishes the year’s 25 most commonly breached passwords. From the report, everyone would benefit from a strong password manager. At work and in our personal lives, our passwords are weak.
SplashData reports the most popular passwords breached in 2015 were:
- qwerty (Check your keyboard.)
- 1qaz2wsx (Check your keyboard)
- qwertyuiop (Second keyboard row)
- passw0rd (using zero)
Hard to believe?
How many on the list do you use?
How to Make Strong Passwords
Although not always possible, randomly generated passwords are the securest. For IT, your enterprise password manager should enforce strong policies. When creating passwords, make them hard to guess, yet easy to remember. They should be difficult to hack without much effort on your part.
To make strong passwords, you must understand human behavior. A Linköping University, Sweden study, found 62% of users reuse passwords. 28% reported they never change their passwords. These behaviors reveal what cyber thieves count on. Most people reuse passwords and many never change them. One password can give a lot of access.
As unbelievable as this sounds, many passwords are simply guessed. Relating user behavior, the study found:
- 4.7% use the password password
- 8.5% use password or 123456
- 9.8% use password, 123456 or 12345678
- 14% use a password from the top 10 passwords
- 40% use a password from the top 100 passwords
- 79% use a password from the top 500 passwords
- 91% use a password from the top 10,000 passwords
Smart guessing is often the first automated cyber strike. Guessing attacks target account’s using short and simplistic passwords. Smart guessing is an efficient hacking use of time. During brute force attacks, top 10,000 password checks open 91% of accounts. For 8 character passwords, attacks take around 26 minutes.
About 70% of passwords contain dictionary words. Dictionary attacks are a variation of smart guessing. These attacks apply multi-language dictionaries to smart guessing. Hacker dictionaries contain words, names, inflections, phrases, abbreviations and hyphenations. Dictionary attacks try all combinations of words up to a certain length.
Passwords that combine dictionary words and random characters require hybrid attacks. These tools combine dictionary attacks with random characters. Hybrid password attacks take longer and often the last record exposed.
Strong Passwords Best Practices
For every organization, security starts with a strong password policy. Strong passwords never include names, phone numbers, or places. They do not contain proper nouns, dictionary words, or repeated characters. They don’t follow patterns or keyboard paths. They never reference birthdays, anniversaries, old addresses, or life events. They do not add single digits to words or spell backwards.
Secure passwords are never reused. They are easy to remember so they’re not written down. They are more than eight characters— the longer the better. They randomly place upper and lower case letters. They include punctuation and special characters when possible. They never reference sports, religion, love or popular culture past and present.
For strong passwords, use phrases rather than words. Do not capitalize to separate words and ideas. Write something about yourself only you know. Pick things transparent to anyone social engineering an attack. Then, apply a little creativity and deviate from norms.
Learn the Top 10 Password Management Best Practices for successful implementations from industry experts. Use this guide to sidestep the challenges that typically derail enterprise password management projects and prevent stong passwords.