Two of the most frequently asked questions that come across my desk are “Do I need to worry about the ‘fill in the blank’ security issue I saw on the news this week?” and “Why do you IT guys always make such a fuss about passwords?” Both questions are more closely related than you may think.
Frequently when a security breach occurs, email addresses, passwords, and other sensitive data are made available on the internet. Security firms get their hands on this data and can run statistical analysis on it; the results are terrifying. According to the firm SplashData, 10% of all users use a password on the top 25 frequent passwords list. The 5 most frequently used passwords from their 2018 list are as follows:
If the above information wasn’t bad enough, many users use the same email address and password for multiple accounts at various places on the internet.
Let me run through two scenarios of what commonly occurs:
- Joe works for ABC Co. and his email is email@example.com. Joe sets up the password “123456” for his account. Someone attempts to hack Joe’s account and uses the top 25 password list. The hacker gets into Joe’s account with almost no effort.
- Fred works for ABC Co. and his email is firstname.lastname@example.org. Fred uses the password “Sunny2019Vacation.” Fred knows his password is strong, so he uses the same password for his Netflix account, his Bank account, and his Equifax credit service account. Hackers breach his bank, and now know that email@example.com has a password of “Sunny2019Vacation.” The hacker gets into most of Fred’s accounts.
Back to the questions from the start of this blog. “Do I need to worry about the ‘fill in the blank’ security issue I saw on the news this week?” The answer to this is yes, you should be worried! If you want to protect yourself and your firm against the security issue, make sure you listen to your IT guy who makes a fuss about passwords. Ensure your users are using long passwords or passphrases, and make sure they are changed on a regular basis. Longer passwords/passphrases rarely show up on frequent password lists, and changing your password frequently ensures that should a breach happen elsewhere, you will have already changed your password.
Have other IT issues at your organization or need a deeper security conversation? Let’s chat!