October is Cybersecurity Awareness Month.
It’s an annual event run by CISA focused on education and information, and this years’ theme is “See Yourself In Cyber.”
One way that we can all see ourselves in the cyber landscape is through our use of passwords. We use them every day—to log into our accounts at work, to access our banking applications, and to get into our streaming services. But while passwords are a useful and low-cost way to check identity, humans continue to find ways to circumvent their own safety.
Poor password hygiene and policies both lead to password theft—and the problem is out of control. Compromised credentials—for example, stolen password and email combinations—are the leading cause of data breaches.
It’s no surprise that financial gain is the main motivator of attack, but data itself is another juicy target for cybercriminals. Accessing personally identifiable information (PII) held at healthcare organizations, school districts, and businesses is a goal of many attacks—and the repercussions are enormous. Organizations of all sizes are being attacked, and the attacks themselves are becoming more sophisticated.
How Can We Clean Up Password Hygiene?
There are several password hygiene habits that we could all kick to the curb: choosing weak passwords, sharing passwords, and above all, reusing passwords. Here’s why:
The majority of users are ‘guilty’ of engaging in these habits.
- Choosing weak passwords
Unfortunately, even in 2022, users are still choosing incredibly easy to guess passwords, like ‘123456’, ‘password’ and ‘qwerty123’. Cybercriminals are well aware of this, and they use these weak and common passwords to launch password spraying and credential stuffing attacks.
- Sharing passwords
Whether it’s quickly texting a coworker your password so they can access a document, or sharing credentials with your family, password sharing is another bad habit. It’s common in industries where speed is crucial, like healthcare, and also in our personal lives. But the more people that have access to a users’ information, the less secure the account is.
- Reusing passwords
Over 60% of users admit to reusing passwords, often across devices and all sorts of accounts. Users often do this because having a single password that satisfies complexity requirements but is easy to remember means they don’t have to use a password manager or think too much about their logins. In the same vein, many users choose a root password they like, and then make the same, predictable changes to it. These habits make it easy for cyber attackers to access all your accounts, once they have a single set of credentials.
While individual choices around passwords are certainly important, the reality is that these habits aren’t going anywhere. Users are not aware of the repercussions of password reuse, nor are they about to revamp all their account details. Companies have to accept that human error isn’t going anywhere.
However, organizations can massively impact internal cyber hygiene by implementing password policies that focus on protecting both user data and the company itself from attack.
Revisiting your existing password policies, and working to become NIST compliant, can help prevent account takeover, data breaches, and ransomware attacks from within.
The newest NIST password framework recommends these actions, among others:
- Remove periodic password change requirements
Studies have shown requiring frequent password changes to actually be counterproductive to good password security—users end up just making tiny changes to their favored passwords over and over.
- Get rid of arbitrary complexity requirements
When a password policy mandates a mixture of upper case letters, symbols and numbers, instead of forcing users to make stronger passwords (which was the original intention), these types of restrictions often result in worse passwords. Additionally, once a user has a password that “works” for all the requirements, they are likely to reuse it.
- Screen passwords against a blacklist
When companies screen users’ passwords against lists of dictionary words, well-known common passwords, and previously compromised credentials, they can help prevent breached passwords from entering their network.
This Cybersecurity Awareness Month is your organization’s chance to make some of these changes. Becoming NIST compliant has many positive outcomes, from building a reputation for being secure and respectful of client data, to preventing ransomware attacks on your company.
Ready to join the organizations, governments, and educational institutions that have locked down their password hygiene?