Ask the average person in the street for a basic element of cybersecurity and ‘passwords’ will likely come up pretty quickly. If you press them to explain what a ‘strong’ password is, and even the least computer literate tend to have an understanding of the importance of choosing hard-to-guess options, containing a mixture of characters, and of not reusing the same password between different accounts.
However, ‘understanding’ is not the same as ‘practicing’, however. And new research has revealed that many people are still using predictable, easily-guessed or otherwise weak combinations. According to the research, the top passwords of 2016 were ‘123456’, ‘qwerty’ and ‘111111’, with more than half of people using the top 25 most common passwords. 17% alone use ‘111111’. The list was compiled by analysing the login credentials leaked during data breaches – in fact, over 10 million passwords in total.
This isn’t just an issue for the end users who run the risk of malicious hackers gaining access to their bank accounts or email addresses. Businesses of all types should sit up and taking notice, because bad password practices don’t just affect consumers – they affect organizations too. A data breach due to a cybercriminal cracking a weak password has to be reported just the same as any other – and it is subject to the same costly revenue and reputation repercussions.
Then there’s the question of passwords that protect company assets. What if one of your employees has set a weak or predictable password to protect their access to sensitive business information? What if they are using the same passwords across multiple external accounts that they also use within your business? Statistically, a significant proportion of your employees are likely to be following bad password practices that could put you at risk.
Certainly users need to be better educated as to the importance of good password practice, but a more effective solution to the problem is to look more closely at the process of password protection itself. A single username/password combination is, as we highlighted at the beginning of this blog, a fundamental building block of cybersecurity – that is, it’s been around for a long time. Isn’t it time for something more sophisticated?
That solution is far more secure, doesn’t rely on individual users adhering to a certain set of good practices, and yet that is simple and cost-effective to implement. We’re talking about two factor or multi factor authentication.
These solutions take the powerful aspect of password protection – the fact that each user has their own unique code or signature with which to access a system – and strengthens it by adding an extra, even more context-specific verification layer. So, as well as a password that could be cracked or stolen, the system also asks for data like a fingerprint or voice recognition (this is biometric verification), or an additional password or code that is either time-sensitive or single-use. The latter option is usually easier and most cost-effective to implement, with the second code simply being texted to the user’s phone.
This means that any cybercriminal wishing to gain access to the system, even if they have stolen or guessed the original password, then has to carry out the far more complex and costly process of intercepting a text to the user’s phone. In the vast majority of cases, this is simply impossible for them to consider.
Clavister firmly believes that multi factor authentication is becoming as fundamental a part of overall cybersecurity posture as usernames and passwords were in decades past that earlier this year we launched our own MFA solution. Our VPN tunnel and web interfaces can now be secured with multi factor authentication, slashing the risk of companies falling victim to cyberattacks that prey on weak or repeated passwords. It’s as simple as 123456.