Everybody Hates Passwords
Everybody hates passwords, and rightly so. There are many ways passwords can fail their intended purpose. If an attacker wants access to a password protected system, there are a number of different ways they can sneak in. If they’re unable to simply bypass the password requirement altogether, they could try guessing, shoulder surfing, phishing, install a keylogger, or even attempting a dictionary attack to get past that password.
Each one of these methods can be extremely effective for gathering passwords. As such, it is important that every employee knows how to minimize their exposure to such threats. To help do that, they need to know what terms like “phishing” actually mean; let’s start by defining what some popular attack methods actually are.
Your employees are most likely to encounter phishing attempts through their email. Impostor emails are sent under the guise of legitimate senders and are used to trick an employee into entering sensitive information, including their username and password. They often link to a website that seems to look legitimate, like online banking, a payment processor, or an auction site. The expectation is that the employee will enter their confidential information on the bogus site without realizing it’s a scam. These days they are getting even more sophisticated, crafting emails to look like activity notices from social platforms like LinkedIn and Facebook, where you are more likely to click based on your usage patterns for the web applications in question.
The human mind is a funny thing. Despite being so complex, it also tends to be quite predictable. Without strict policies in place, employees will often create an extensive list of simple passwords that are easy to remember. Unfortunately, this also makes them easy to guess. The majority of passwords often used by employees include such gems as: “password”, “Password1”, “12345”, “qwerty”, “admin”, or any row of keys on the keyboard. They may also include names, dates, birth years, or any other piece of common personal information. This makes guessing extremely easy for an attacker who understands the predictability of human behavior.
Shoulder surfing involves using direct observation techniques, such as looking over a shoulder, to obtain sensitive information like a password. By watching an employee enter their credentials, it’s as easy as remembering their username and password to gain access to a company account. Even if the employee is logging into a personal account, there is still the risk that they use the same password for their accounts at the office.
Using specialized programs, online attackers can let their computers automatically guess employee passwords by trying every word in a dictionary, along with combinations of words, and numbers, symbols, and signs. This used to be a complicated and time-consuming process; however, with the increasing availability of computing power provided by modern technology, these attacks are becoming increasingly time and cost efficient.
There are an endless variety of Trojan horses, programs, and viruses that can stealthily install themselves on the electronic devices that you use. These programs can easily capture and communicate the exact keystrokes made by users as they log into their accounts. In many cases, this malware caches the information it gathers and passes it on to it’s controller when the system is sitting idle, providing them with the exact spelling of the user ID, followed by the exact typing of a password, passphrase, or password combination.
With so many weapons in the arsenal of cybercriminals, it can seem like passwords have no hope at all. Fortunately, with the right type of password management software, and strong password management practices, a lot of these risks can be mitigated.
While it’s up to your company's IT manager to direct employees on IT security best practices, it is the responsibility of every employee to safeguard critical, confidential information.
What can your users do to...
Protect themselves against phishing
Teach your users that emails are always suspect. If an email asks you to log into their website, don’t click the link provided in the email. Instead, go to the website directly and log in there. That decreases the risk of being phished by a fake website.
Protect their passwords against guessing and dictionary attacks
Predictable passwords are risky. That’s why most password policies require letters of varying case, numbers, and symbols. A good password should make little sense to anyone but yourself. If you can create a memorable but seemingly random string of characters and numbers, then you’re fairly secure against guessing attacks and dictionary attacks. When that isn’t available, consider using a passphrase, like a long sentence from a favorite book or song. Make sure you use the case and punctuation. Length complexity will usually win out, as computers just cannot break longer credentials in this way.
Protect them from themselves
Shoulder surfing, keylogging, and phishing are so effective in part because users reuse their passwords across multiple accounts. Make sure your users know that reusing their passwords between work and personal accounts is unacceptable. If their Facebook account is breached, it could allow attackers into their business accounts. Incidentally, a breach at the business could just as easily allow attackers into their personal accounts. It’s a lose/lose scenario; make sure they’re aware of that.
Fortunately, the security of your business isn’t entirely dependant on your users. There are a number of ways that businesses can reduce their password risk.
What can your business do to…
Protect their users from phishing attempts
The best defense against phishing is a combination of user training, anti-spam software, and policies that prevent clicking on untrusted links in the email client; however, you may also want to consider investing in a password management solution that automates the end-user password process. For example, if your users log into their accounts through single sign-on, then they don’t have a password to give away. You can’t release a password you don’t have.
Protect their accounts from guessing and dictionary attempts
Implementing a strong password policy is a great place to start, but businesses can do much more than just imposing requirements on their users. Multi-factor authentication (MFA) requires the use of more than one identification factor, which makes it a great way to mitigate the risk of guessing and dictionary-based attacks. With MFA you can even eliminate the need for passwords entirely by allowing users to log in with a passcode, or through federated sign in.
Keep users from reusing passwords
Again, this is something a good password management system can help with. When password systems are able to enforce history checks they are able to prevent the reuse of passwords over time. Additionally, if your password management system offers password automation as an integrated feature, they may never know their passwords to begin with. If your users don’t know their passwords, then they can’t reuse them.
Let’s be honest with ourselves, everybody hates passwords… but it doesn’t have to be that way! Passwords are an integral part of IT security, and with the right set of tools you’ll never need to struggle with passwords again. No toolkit is complete without a solid guide, and we have one of the finest.