Passwords! The major frustration of all computer users within the organisation. Have you ever really considered how important your password really is?
You probably think you may not have access to anything of any interest to anyone so it doesn’t really matter that you keep your latest password written on a post-it-note on the inside panel of your desk drawer or shared it with your PA. You might not have access to patient data or staff records but you do have an email account. If someone with nefarious intentions were to obtain your password they could send an email containing the latest form of ransomware, send people to phishing websites or attach a virus to an email and send it to colleagues internally acting as you in order to gain trust in opening the email. They could plant files that contain viruses on the shared drive in areas you and colleagues have access to.
If you make the mistake of using the same password for other things such as personal email accounts, social media accounts or banking they could start to lock you out of your own digital world or just cause chaos within the organisation. You could be a pivot point for cyber attackers or disgruntled colleagues to carry out attacks on the organisation. Your password is often the first line of defence.
In order to make you more aware of how your password can be obtained I’ve detailed some common techniques:
Passwords transmitted over the network using plain text can be intercepted. This includes putting passwords into emails and sending them or typing them into websites that don’t use modern security standards to encrypt the passwords.
Automated guessing of billions of passwords until the correct password is found.
The IT infrastructure (shared drive) can be searched to find electronically stored passwords. If you have a spreadsheet containing a list of passwords then you need another solution.
Passwords written down and stored somewhere near a device can be stolen. All too often we find computer users writing passwords in notebooks or on post-it-notes.
Personal information such as name, date of birth, children’s names and pets names can be guessed. Those you work alongside may have this information without much hassle. Public social media postings can also give away much of this information.
Looking over someone’s shoulder when your password is being entered.
This could be a convincing link in an email enticing you to enter your password into a convincing looking website or even a phone conversation with somebody in another department who may sound convincing. Social engineers often find that if they say something with enough confidence others will be convinced.
This can take the form of software installed on your computer without your knowledge or a device that your keyboard plugs into before plugging into your computer in order to capture all keystrokes typed into a keyboard.
So what can you do to combat some of these techniques?
- Don’t use dictionary words
- Don’t use words or dates relating to you personally
- Don’t write your password down
- Don’t store passwords in plain text in an electronic file
- Don’t share your password. Not even if with trusted colleagues
- Don’t use adjacent keyboard combinations such as qwerty, asdzxc and 123456
- Don’t re-use passwords for other things such as email or social media
- Do use special characters such as # : + >
- Do use a random passphrase that you may find easier to remember. For example CockerSpaniel+Poodle=Cockapoo
- If you absolutely need to write your password down and you’re unable to remember it then don’t write down the actual password. Instead write down a clue to your password and don’t keep it near the device you login to with it
A password such as the word “glue” could be cracked within 11 microseconds using automated brute force methods on a standard computer.
A password such as “television” can be cracked within 1 hour. By adding a # to the end to make it “television#” it could be cracked within 5 months.
The above passphrase of “CockerSpaniel+Poodle=Cockapoo” could be cracked within 72 Decillion years.
21% of people use passwords that are over 10 years old. That means you created your password when Brad Pitt and Jennifer Aniston were still together.
47% of people use passwords that are at least 5 years old. That means you created your password before the London Olympics.
Don’t be the weak point in the organisation. Take a look at your own password policy and assess if you need to change how you do things. The horizon of cyber security is always changing. Methods of being hacked are always changing but passwords still remain a common gateway for cyber attackers.