Recycled Passwords Are Putting Your Company at Risk
From MyFitnessPal to Equifax and Ticketfly to MyHeritage, it seems like every week we learn of a new security breach that impacts our personal information. In fact, in the time it takes for you to read this sentence, there will be approximately 280 data records stolen, with nearly five million records breached every day.
Yet, despite the proliferation of cybersecurity threats, consumers seem somewhat unfazed by the risks their own behaviors pose to their accounts. For example, a recent survey found that only 55 percent of people would change their password if their account was hacked. It also found that fear of forgetting passwords is driving this user apathy.
While our brains are oversaturated with information every day, this password indifference becomes even more critical when we look at employee password behaviors and how it can put business information at risk. The truth is, complacency can cost you, whether with personal or work accounts.
Here are four password mistakes you’re making and how to fix them.
1. Thinking your passwords aren’t at risk.
Think your data isn’t valuable enough to make it worth a hacker’s time? Think again. While it might be obvious that a banking or PayPal account has value for hackers, over the past year, stories have emerged about hacked Airbnb, ride sharing and even food delivery accounts. Did you know that these logins can be sold by hackers on the dark web too?
Verizon’s 2017 Data Breach Investigation Report found that 81 percent of hacking-related breaches leveraged either stolen and/or weak passwords. A password can be a goldmine for hackers looking to exploit that information to get access to other accounts, data and more. Whether it’s your banking login or even a long-forgotten login to a shopping site or rarely used employee site, your password is almost always valuable to a hacker.
This is why users should treat every account as unique. Be sure not to share credentials and log-in information across sites, no matter how seemingly unimportant the accounts may be. And don’t make it easy for hackers to guess your password. Passwords should be lengthy and complex.
2. Reusing passwords, especially from home to office.
We’ve all done it. You create a strong password that passes the security test on one website and decide to use that password over and over again. A recent survey found that 91 percent know that using the same passwords for multiple accounts is a security risk, yet 59 percent mostly or always use the same password. However, if a hacker gets access to a password used across multiple accounts, they have access to much, much more of your information. While this can be problematic for your personal data security, it can become even riskier when this behavior moves from home to the office where confidential information is stored for the business and numerous employees. Take Dropbox as an example. An employee’s re-used password, obtained from the LinkedIn breach, was used to steal user credentials for more than 60 million accounts.
That’s why no two accounts should ever use the same password, whether at home or at work. Using unique passwords ensures that a breach at one website doesn’t result in a stolen account at another. While this might seem like a daunting task, password generators can help to simplify the process and take the guesswork out of creating unique logins for each site. And using a password manager can help you securely keep track of credentials for each site. These tools can alert you when a password is duplicated across accounts and will allow you to change a password with the click of a button, which is beneficial following major breaches, like the Netflix breach.
3. Using your default password.
Unchanged default passwords like “admin” or “password” can leave your information vulnerable to compromise. While these default passwords can be easy to remember for accounts we use every day like employee logins, these passwords can be a hacker’s go-to to gain access to your account. Default passwords are also a risk for any hardware or software you use to keep your business operating, from routers to collaboration software.
The good news is, this is an easy fix. You can change your password at any time. But if fear of forgetfulness is holding you back, consider using a passphrase instead of just a password. A passphrase is a string of words or phrases put together to create one long phrase that’s easy for you to remember, but difficult for anyone else to guess or crack. For example, you can use your dog’s birthday to create a passphrase such as “mydogmolly’sbirthdayis_october19.”
4. Two-factor authentication is there, but you don’t use it.
While long, complex passwords are important, they are not sufficient on their own. Many websites now offer two-factor authentication for added security. Two-factor authentication means adding another login step when you’re signing into an account. It combines something you know (your password) with something else you have like your phone or fingerprint, or even your location that lets you approve a new login.
Whenever possible, turn on two-factor authentication with your accounts. The benefit with two-factor authentication is that should your password somehow be compromised -- perhaps in a phishing attack -- the attacker still won’t be able to get into your account without the two-factor authentication information.
As today’s hackers have access to more tools and exploits, and cyber threats become more advanced, threats to our data within accounts of all kinds are becoming a daily occurrence. Whether it’s your food delivery account or your payroll login, it’s critical that we treat passwords as the first line of defense. Making these quick fixes to your everyday password habits can help minimize risk of a compromise to your personal information and limit your business’s attack exposure.