One of cyber criminals’ favourite ways of hacking organisations is through brute-force or ‘password spraying’ attacks, which bombard targets with login attempts using lists of common passwords..
It’s so much easier to access a site or service using someone’s login credentials than it is to exploit a technological vulnerability or craft a phishing scam. There’s a lot less legwork involved and when you’re successful, you’re guaranteed to gain complete access to the victim’s account.
So it was great news for criminals when the NCSC (National Cyber Security Centre) revealed that 23.2 million people in the UK use ‘123456’ as their password.
Another 3.6 million are securing their accounts with ‘password’ and 3.8 million are using ‘qwerty’.
With such predictable passwords, it’s no surprise that every month there are dozens of breaches caused by basic account hacks.
We are our own worst enemies
The problem with these passwords isn’t necessarily that they don’t follow expert advice for securing your account. Don’t be mistaken – you should obviously take that advice – but you should also be wary of using it and still having a predictable password.
Case in point: the 285,000 people who used the name of the pop punk act Blink-182 as their password.
Although “Blink-182” meets all the criteria for a strong password – which is generally considered to be a combination of at least 8 letters, numbers and special characters – it’s generic enough that thousands of other people have used the exact same phrase.
When a cyber criminal gets their hands on a database of passwords, they’ll note which ones are most common and prioritise them when trying to break into new accounts.
This is why experts urge people to use complex phrases. It makes it more likely that you’ll create a password that’s unique to you and isn’t already on cyber criminals’ databases.
And with machines capable of getting through billions of passwords every second, you really do need something truly unique to avoid falling victim.
Stay safe with Cyber Essentials
The key to protecting your organisation from password hacks is to instil a strong cyber security culture in the office. It only takes one person practising poor habits for your whole network to be at risk, so it’s paramount that everybody understands their responsibilities.
Cyber Essentials is a great way of establishing that culture. It’s a UK government scheme that contains five controls capable of repelling about 80% of common Internet-based threats.
One of these controls, Secure Configuration, includes requirements on how to protect your organisation from password-related breaches. It states that organisations must:
- Protect against brute-force password guessing by limiting attempts and/or the number of guesses allowed in a certain period;
- Set a minimum password length of at least eight characters (but not a maximum password length);
- Change passwords promptly when the user knows or suspects they have been compromised; and
- Have a password policy that informs users of best practices.