Why Your Passwords are Your Biggest Security Weak Point

When I was a kid, my friends and I would play “spies” and invent secret passwords all the time. Back then, passwords were a way to know which of my friends were allowed to access our “secret” hideout or see “secret” messages. It was exciting, exclusive, sometimes hilarious and always fun.

For most people online today, the use of passwords is mundane. We have a password for Facebook, a password for email, a password for Amazon, a password to log into our computer or phone. Increasingly often, all of those passwords are the same or a variation of the same thing.

Most people don’t bother making unique and creative passwords for every account because, frankly, that many passwords would be frustrating to memorize. Because passwords and login information are often similar (or the exact same), as soon as a hacker can get your login for one service, such as a retail rewards program, your credit line is next.

Passwords, in many cases, are the only thing standing between the black market and your private information.

According to the PEW Research Center, 30% of adults online worry about the effectiveness of their passwords, and 25% use passwords that they know aren’t as secure as they could be. It comes as no surprise then that two-thirds of Americans have experienced some form of data theft in their lives. 14% of those surveyed admitted that individuals had stolen their data and used it to open lines of credit or take out loans in their name.

Why Your Business Should be Worried

The moment a hacker has access to your business services, they have the ability to hold your business hostage. In 2018, the entire government network of the city of Atlanta was held for ransom by a hacking group, according to the New York Times. Most city-run services were down as all of their files were locked with encryption. The hackers demanded $51,000 and gave Atlanta one week to pay it.

More recently, the city of Baltimore was hit by a cyber attack that is stunting real estate business operations in the city, since settlement deals cannot be finalized without city services.

As of May 14th, 2019 multiple real estate CEOs were cited as saying they had no idea when they could expect to close on the various settlement deals that had scheduled for the next several weeks.

Reports do not say how much the hackers want in exchange for Baltimore’s files and system access, but in 2017 security experts estimated that hackers have made over 1 billion dollars using phishing, keyloggers,  and third-party breaches. The financial loss to Baltimore, regardless of whether or not they choose to pay, is already significant.

How Hackers Get Passwords, and How to Stop Them

In 2017, Google published research conducted in partnership with the University of California at Berkeley that illustrates how hackers collect passwords and sell them on the black market. The three methods used for stealing passwords were phishing, keyloggers, and third-party breaches.

Phishing

According to Google, 12 million online credentials were stolen via phishing. Phishing is a fraudulent request, usually sent by email, for personal information like passwords. Phishing emails will ask for a user’s information directly, often pretending to be an online entity the user already has credentials with. A phishing email might ask you to enter credentials to update a password, address, or other information.

Phishing attacks are not limited to spam emails, however. Even the savviest user should be aware of phishing attacks like session hacking, which is where a hacker obtains access to your web session without your knowledge.

Once a phisher steals an email from your business, they will send from it to the rest of the company to get more. Knowledge of phishing practices is significant

Keyloggers

Keyloggers are another type of phishing attack. Google wrote that 788,000 credentials were stolen via this method in 2017. Keyloggers are the reason some websites require you to use mouse clicks to input credentials on a virtual keyboard, as keylogger refers to malware that is used to record keyboard clicks.

Your keyboard clicks are sent to hackers who use that information to figure out your password. This is also why easy passwords like “password1” tend to be highly insecure. It doesn’t take very long for an experienced hacker using a keylogger to figure it out.

Third-Party Breaches

Finally, Google states that 3.3 billion credentials were exposed to hackers via third-party breaches. If you, your company, or an entity that you use or do business with uses a third-party vendor or supplier, a breach in the third-party’s security can open your data up to hackers.

For example, Ticketmaster UK had an incident last year where their third-party chatbot service had been infected with malware that put users’ credential data (as well as personal and financial data) at risk.

So, How Do I Strengthen My Password Security?

Password security begins with a secure password. The National Institute for Standards and Technology’s guidelines for tech security says that a good password will be long, complex, and random. This means that long passwords with upper and lowercase letters, numbers, and unusual characters that are randomly generated is much more secure than a short, easy-to-remember password based on your favorite sports team.

The tradeoff for following these guidelines, of course, is that while your password will be much more difficult for, say, a keylogger to guess based on keystrokes, it will also be more difficult for you to remember. A memorized password is always safer than one that is recorded on paper or on your device, but the research shows that humans are only capable of so much password memorization before things start to get confusing.

That’s why the next step is to take measures to protect yourself against phishing, keyloggers, and third-party breaches.

Phishing.org lists the following ways to keep your credentials off the black market:

  • Be able to identify the common features of phishing emails. You can do this by asking yourself these questions if you get a suspicious email”
    • Is it too good to be true?
    • Is there a sense of urgency?
    • Is the email trying to convince you to click on a hyperlink? (Tip: Hover over links in emails before clicking on them. Secure websites will always start with “https.”)
    • Do the attachments on the email make sense?
    • Is the sender someone you were expecting to hear from? Is this a topic they would email you about?
  • Use spam filters on your email.
  • Update your browser settings to only open trustworthy websites.
  • Change your password regularly, even if you aren’t prompted.
  • Report suspicious activity, especially if you believe a third-party vendor has been compromised on a site you regularly use.

Out of all of these methods, changing your password regularly is the easiest and most powerful. Data breaches happen frequently at private companies, and private companies are not always obligated to make those breaches publicly known or even internally known to their employees.

There is also a chance that your company may experience a data breach and not find out about it for a long time. Changing your password every 3-6 months helps protect the data that is personally connected to you or the work you are doing and can frustrate a hacker by forcing them to perform the data breach all over again.

While secret passwords are no longer exclusively the stuff of spy fiction, their daily use online is vital for protecting your data from bad guys. Incorporating basic password knowledge and common sense will go a long way in keeping your information from the wrong people and off the black market.

Companies can also use secure password managers like LastPass, Dashlane, Chrome Password Manager, Zoho Vault, Keeper Password Manager or LogMeOnce to securely keep track of multiple passwords across different devices.