Mobile nav
Ready to Boost your Company's Cybersecurity?
Protect, defend, and recover your company data on all devices with Norton Security Online.
BACK
Comic of man forgetting password
| - Small Business - Cloud - Apps - Business Owners - All - Cyber Security - |
 Mike Connell
 
As cyber awareness grows, and small to medium-sized businesses alike acknowledge the risks and implications tied to their cybersecurity efforts, it may be surprising (or not) to learn that 80% of cyber breaches are still tied to password security.

That’s a number that, according to Verizon’s Data Breach Investigations Report, actually originated in 2017 but persists to this day.

Passwords: The one thing standing between your business and a breach

Overall, no, passwords aren’t really the only thing standing in the way of a security breach, however passwords are one of the biggest breach points.

According to the Data Breach Investigations Report, most breaches (due to hacking) are attributed to compromised and weak password credentials. Interestingly, the report goes on to say that 29% of all breaches (regardless of attack type), were tied to stolen credentials.

In other words: We can (and should) all work towards better password practices.

Don’t Leave your Life Unlocked…

Whether we are talking about your business, or your personal life, NortonLifeLock (As of November 2019, Symantec became NortonLifeLock, focusing on security products for consumers and small businesses) provides the following analogy:

Passwords are the digital keys to our networks of friends, our work colleagues, and even our banking and payment services. We want to keep our passwords private to protect our personal lives, and that includes our financial information… ("How to Choose a Secure Password

Similarly, the Data Breach Investigations Report uses a like-minded comparison:

We don’t like saying it any more than you like hearing it, but static credentials are the keys. Password managers and two-factor authentica­tion are the spool pins in the lock. Don’t forget to audit where all your doors are. It doesn’t help to put XO-9s on most of your entrances if you’ve got one in the back rocking a screen door. (2019 Data Breach Investigations Report)

Editorial aside: If you don’t know what an XO-9 is (we didn’t either), give it a Google. It’s a high security, electromechanical lock.

The Math Behind Passwords

So, how does it work? Why is it so easy for hackers/cybercriminals/whomever to crack our passwords?

First, remember that as we revel in the accessibility of so many online services that, ultimately, we should be careful what we wish for. As consumers and as small business operators alike, we want access to, well, everything online. E-commerce. Banking. Communication. We wanted it. We got it. As a result, our information is out there.

Sure, as hackers become more proficient and businesses try to keep up, password requirements have evolved.

Who hasn’t been stumped trying to generate a new password that has all the right requirements, whether in your work environment, or a standard online service? We are told to change our passwords regularly, to not use duplicates across multiple services, to use a minimum of 8 numbers and letters, special characters, etc.

How does this help?

Well, there’s some math involved—feel free to refer to “The Mathematics of (Hacking) Passwords”—but, suffice to say, the longer the password, the better. For now.

Moore’s law (which says that the computer-processing power available at a certain price doubles roughly every two years) explains why a relatively weak password will not suffice for long-term use: over time computers using brute force can find passwords faster. ("The Mathematics of (Hacking) Passwords”)

So, you should pick a longer one, right?

For a truly strong password as defined by ANSSI [the French National Cybersecurity Agency], you would need, say, a sequence of 16 characters, each taken from a set of 200 characters. ("The Mathematics of (Hacking) Passwords”)

Here’s a quick round up of what that means in regular parlance:

How long does it take to crack a password?



Unfortunately, while making the password longer helps, it also makes it nearly impossible to memorize.

As a result, it is also recommended that we incorporate other factors into our password choices, such as unique characters and other unpredictable factors (acronyms, random sentences, etc.).

How do Hackers Hack?

This video isn’t new, but it provides a good (quick) overview of how hackers can crack your password. Sure, there are phishing scams, password spraying, and keylogging, but the low-hanging fruit for most hackers is the information that’s already out there on your social channels.


Password Protection Best Practices

Ultimately, it is widely accepted and understood that consumers and small businesses alike need to incorporate a strong password-creation and management practice in order to safeguard our information. That’s no mystery. The question is, how?

There are a number of Dos and Don’ts outlined by NortonLifeLock—"How To Choose a Secure Password”—but their most notable best practice is two-factor authentication (2FA):

Do use Two-Factor Authentication (2FA) whenever possible. 2FA adds another layer of security to any account you may be logging into. When using 2FA, you can choose two of three types of identification to provide:

  • A password or pin number.
  • A tangible item such as the last 4 digits of a credit card in your possession or a mobile device that a code can be sent to.
  • A part of you such as a fingerprint or voiceprint.

Secure Passwords: The Lesson

All this said, it’s one thing to incorporate more stringent password practices, but putting those practices into, well, practice, are another. Ultimately, there are tools and resources for that.

The NortonLifeLock Password Manager provides a solid overview regarding the hows and whys behind using a password manager, and even provides insight into how to pick the best password manager software.

The more we’re online, and the more hackers evolve, the more risk there is, so there isn’t one static solution. As threats grow and advance, so too will our protective measures, and increasingly individuals and small businesses will be incorporating biometric security and the like, ultimately phasing out traditional passwords altogether.

For more on the potential future of passwords, you can read “Dear passwords: Forget you. Here's what is going to protect us instead.”

Other interesting reads:
It’s Time To Plan For A Future Beyond Passwords
Passwords are still a problem…
This is the future of authentication, according to security experts