The Top 5 Risks to Password Security
February 20, 2024
Passwords are a staple of our everyday lives. They’re the key to our online world, securing everything from email accounts and financial transactions to shopping wishlists. But unfortunately, they’re more of a cybersecurity problem than a solution right now. Despite constant reminders, many folks still underestimate the power of a strong password. In fact, according to Verizon’s 2023 Data Breach Investigations Report, almost half (49%) of all organizational security incidents involved compromised credentials, with classics like “12345,” “qwerty,” and the dreaded “password” still making the rounds.
But it’s not just about the numbers and letters you use. Combine a weak password with subpar security and you’re more or less rolling out the welcome mat for threat actors. With more of our lives—and businesses—online than ever before, it’s time to crack down on credentials. Here are some of the biggest threats to password security and our top tips to keep the digital door locked.
Disclaimer: Please note that the information provided herein offers guidelines only. It is not exhaustive and does not constitute legal or cybersecurity advice. For more guidance, please consult a lawyer, a licensed insurance representative, and/or a cybersecurity specialist.
What are the risks?
1. Determined Hackers
According to Robert O’Connor, former Deputy Director of Enterprise Information Security at the CIA, there are three main ways to guess passwords: “guessing (by a human), cracking (by algorithmic brute force), and capturing (by gaining access to someplace where a password has been stored, whether that’s in a database or on a sticky note).”
Most conventional advice is designed to counter these techniques, but as always, hackers are one step ahead. As we implement fixes, they simply adapt and devise strategies to bypass them. Here’s an example: experts often recommend including special characters to strengthen passwords. However, cybercriminals know that most people tend to tack them on (usually “!” or “#”) at the beginning or the end and have developed algorithms to account for common patterns and themes.
While cybercriminals have countless ways of stealing credentials, some of the most popular methods remain:
- Phishing: A type of social engineering where cybercriminals try to trick, manipulate, or “phish” people into revealing sensitive information by clicking on fake links, opening infected attachments, or downloading malicious software. Phishing scams are typically sent through email or text message. Famously, this is how Casino Rama’s 2016 privacy breach occurred: a hacker impersonated a manager and sent a link to a holiday work schedule to 11 employees.
- Credential Stuffing: A type of brute force attack in which cybercriminals use leaked or known login credentials from one platform (user IDs, email addresses, passwords, and/or pin numbers) to gain unauthorized entry to other accounts. More recently, personal genomics and biotechnology company 23andMe reported that a hacker had compromised the data of 14,000 users due to a credential stuffing attack. Antivirus provider Norton also suffered a credential stuffing attack in 2022 that affected roughly a million customers.
- Password Spraying: A high-volume attack in which criminals don’t have access to known credentials, so they test, or “spray” a commonly used password against several usernames on the same application to find a combination that works. This method helps them avoid detection from automated account lockout mechanisms on a single account.
RELATED: Wait, what’s a privacy breach again?
2. Poor Password Hygiene
What makes hackers so effective? They have multiple ins to target a company through end-users’ habits. After all, not everyone has been trained on good security practices. New hires are vulnerable to mishaps and someone that’s new to your field might not know the sector-specific requirements on how to protect sensitive data, especially if organizations aren’t onboarding sufficiently or providing regular privacy updates. Or maybe they don’t know the key industry players well enough to be able to spot signs of phishing or suspicious activity.
But experience doesn’t guarantee awareness; even the most seasoned industry professionals or longstanding employees might still be behind on proper password etiquette. Or they might think they’re protected by your company’s security perimeter and the watchful eye of IT.
Some of the most common habits (and worst) include:
Easy-to-Guess Passwords
Short, common, personal, and predictable passwords are a major culprit, like number sequences, “words” made up of letters next to each other on the keyboard, and base words like “password,” “welcome,” or “hello.” According to NordPass’s annual password hall of shame, the top five most common passwords across 35 countries last year were still 123456, admin , 12345678, 123456789, and 1234, all of which take less than a second to crack. “Password” takes the 7th spot, with other variations of 1-10 rounding out the top 10. Not much has changed in 10 years though. According to SplashData’s 2014 list, the top 5 were virtually the same.
Password Reuse
Whether it’s due to convenience, laziness, or fatigue (more on that soon), employees tend to recycle the same username and password combo across multiple sites or platforms, business and personal. That means a single set of credentials can be used to unlock multiple accounts.
Password Sharing
Many workers also share passwords of commonly used business applications with co-workers. But here’s the tricky part: no matter how much you trust your teammate, there’s no guarantee that they’ll be as vigilant with your credentials as you would. Even if you only share it with one key colleague, there’s always a risk.
Weak Mobile Security
Employees often use their personal devices to access company resources and applications. However, they might not have sufficient protections or antivirus software in place. Or they might store passwords in insecure locations, like on their desktop or in a notebook, leaving them vulnerable to compromise.
3. Password Fatigue
Sometimes you don’t know what you don’t know. But in this day and age, most people know it’s bad to reuse, share, or have weak passwords—they just do it anyway. LastPass’s 2022 Psychology of Passwords Report found that nearly two-thirds (62%) of respondents always or mostly use the same passwords or a variation. And only 31% of users stopped reusing credentials after receiving cybersecurity education.
So if they know better, why aren’t they doing better? The short answer: they’re too tired. Passwords are everywhere these days. Between work and home, our day-to-day is oversaturated with countless websites, programs, platforms, and more, each with their own set of credentials. Whether it’s social media, online banking, or your Netflix subscription, most adults have at least 50 passwords to keep track of and it’s virtually impossible to remember or reset them all, particularly if they’re pressed for time. People fall back on weak passwords or repeat them because it’s just easier. After all, our minds can only take so much.
In some ways, combatting employee habits might even be tougher than dealing with hackers, since heightened measures, which are intended to boost protection, can often contribute to password fatigue and backfire. As organizations roll out more requirements—frequent changes, identity verification, diverse character demands—people are bound to feel more and more overwhelmed, prompting security shortcuts and laxer password hygiene.
RELATED: The Human Factor: Tackling Insider Threats in Cybersecurity
4. Default Credentials
It’s not always the frontline staff; weak, default usernames for accounts with privileged access are another major concern. After the initial setup, most businesses tend to keep the default credentials that accompany vendor software, like “admin,” (second on NordPass’s list) “root,” and “test,”, even though they’re obvious targets for cybercriminals. The best example of this is Equifax’s infamous 2017 breach. Following the attack, researchers discovered web portals that were secured by just about “the worst username and password combination possible: “admin and admin.”
RELATED: Decoding MSPs: Your Guide to Outsourcing IT Services
5. Turnover
Regardless of the circumstances, employee departures are often stressful. And between severance pay, call forwarding, and disabling accounts, most people tend to forget about passwords, logins, and even wiping devices. Without standardized offboarding procedures, workers might still have access to file-sharing services (like Google Docs or Dropbox), social media, third-party systems, cloud services, and more. Kaspersky has a full list of possible scenarios here.
Unrevoked access can lead to anything from use of company-subscriptions to business email compromise to intellectual property theft. Research from passwordless authentication provider Beyond Identity found that 83% of former employees still had access to their previous employer’s assets, including old email accounts, work-related materials on a personal device, software, the website back-end, research, company ideas, strategic plans, client lists and contact information, process documents, and even financial data.
Even worse? If no one’s using those accounts regularly, you might not even notice suspicious activity at first. That’s why inactive and non-maintained accounts are huge hotspot for cybercriminals. Companies with lots of seasonal employees, high turnover, or freelancers or subcontractors are also particularly at risk; managers might be granting logins to new employees or contractors without checking with IT first.
RELATED: What does turnover have to do with business liability?
What’s the impact?
Compromised credentials pave the way for threat actors to infiltrate business networks and wreak havoc on sensitive data. If an attacker successfully infiltrates an employee or admin account, they could gain entry into networks, email accounts, payment systems, and other secure platforms. From there, they could impersonate high-ranking individuals or other senior executives and authorize fraudulent transactions or manipulate invoices. Or they could lurk on your systems undetected for months, collect intel about your organization, and wait for the opportune moment to launch a ransomware attack.
Alternatively, malicious former employees that left on bad terms could steal clients, pass over corporate data to cybercriminals, and otherwise try to sabotage your organization from within. But whether it’s accidental or intentional, an employee or a threat actor, a small slip-up or a full-on cyberattack, the consequences of a potential data leak are real and could lead to lasting financial, legal, and reputational harm. Under Canadian privacy laws, any unauthorized access to client data constitutes a privacy breach and if your organization is found negligent, you could be liable for up to $100,000 in fines.
Even worse? Your Cyber Insurance might not come to the rescue either. Compromised credentials are a major player in privacy breaches and most insurance companies nowadays want solid proof of your password security protocols (think multi-factor authentication) before granting access to insurance or paying out a claim.
RELATED: The Consequences of a Breach: Can your business survive a cyberattack?
PRO Tips: What can you do?
With the rise of passwordless authentication, there are whispers we might soon be done with passwords. Passkeys, biometrics, and time-based one-time passwords (TOTP) from authenticator apps are poised to replace or supplement traditional controls altogether. But it might be awhile before organizations hop on the bandwagon. Plus, a major overhaul will require employees to change their mindset about security and we all know old habits die hard when it comes to technology. For now, the humble password is here to stay as our go-to frontline defence against cyber threats.
That means it’s time for all organizational to batten the hatches and bolster their password management strategies. Strong and secure passwords still matter, more so as cyberattacks surge. You’ll need to make sure you have the right tech, the right procedures, and above all, the right approach to ensure your data doesn’t fall into the wrong hands. Here are some tips to help you get started.
1. PLAN
Have a clear, comprehensive policy, with clear guidelines for onboarding, offboarding, incident response, lockout procedures for inactive accounts, and password changes (as needed).
2. PROTECT
Advise all employees to practice good password etiquette. Tailor restrictions to your industry, business, and security requirements and create complex, unique passwords or passphrases for all systems. (i.e. character requirements, upper- and lowercase letters, numbers, symbols, etc.).
3. VERIFY
Pair your password policy with multi-factor authentication (MFA) to add an extra layer of protection. Incorporate MFA across your enterprise wherever critical or sensitive data is stored or transmitted, including corporate email, VPNs, financial systems, and on all third-party accounts used to access your systems.
4. SIMPLIFY
Consider solutions to make things easier on employees, encourage better passwords, and help them keep track of everything, like a password manager or single sign-on (SSO).
5. EDUCATE
Provide regular security awareness training to employees across all levels of the organization on the importance of password hygiene, how to recognize cyber threats, breach reporting, and more. Emphasize the role they play in organizational security and how valuable their efforts are.
6. SUPPLEMENT
Fortify your security with additional protections, like firewalls, anti-virus software, VPNs, encryption, and regular network scanning. Patch systems regularly with the latest updates when available. Apply the principle of least privilege and set up an offline backup system to restore your assets in case of a breach.
7. KEEP UP
Stay current with the latest security recommendations as the cyber landscape shifts. Be sure to revisit your password management strategy—and your privacy protocols overall—regularly and revise as needed, especially if there’s an incident.
8. OFFLOAD
Consider Cyber Insurance to help offset some of the potential financial loss following a breach, cyberattack, or network security issue, like if your company’s information is stolen by a hacker, or accidentally released by an employee. In addition to legal fees, a dedicated policy can provide you with access to: a specialized data forensics team, a legal breach coach, funds for client notification and credit monitoring, and PR consulting services.
9. PARTNER
Work with a dedicated risk advisor to ensure you’re meeting insurance companies’ baseline requirements to qualify for Cyber Insurance. That way, you can keep your security up to par and ensure you have coverage in the event of a breach. An advisor can also set you up with a risk management strategy to identify, mitigate, and transfer cyber threats.
How can we help you?
For more guidance on cyber risk management, connect with PROLINK. A licensed broker like PROLINK can help you plan, protect, and become resilient in the face of attack. With over 40 years of experience and a specialized knowledge of cyber markets, we’re ahead of industry trends. Our dedicated team of risk advisors will:
- Identify exposures based on your business operations and unique needs;
- Share what steps others in your industry are taking and advise you accordingly;
- Outline a proactive approach to risk management to control your costs long-term;
- Conduct a robust assessment of your existing insurance policies to detect any coverage gaps;
- Secure a specialized solution that aligns with your strategic objectives.
To learn about your exposures and how you can protect yourself, visit our Cyber Security & Privacy Breach Toolkit and connect with PROLINK today for more guidance!
PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.