A new study by a security specialist, NordPass, suggests that human resources folks are one of the worst culprits for weak passwords. While secure passwords are important across the board for folks at all levels of your company, the news that HR is totally predictable with their password protection is a dream for hackers and a total nightmare for you! In a study conducted by IBM, the computer company estimated the average cost of a data breach as $3.86 billion in 2020. The company took an average of 280 days to identify and contain the breach. In terms of time and money, IBM notes that a data breach can “potentially damage [your] reputation for years to come, leading to lost business and a competitive disadvantage.”
Based on the data, NordPass published a ranking of the most popular passwords for 2020. In order of popularity, the lucky winners are: 123456, 123456789, picture1, and…wait for it…password, which was the leading password choice for HR professionals for the year. Moreover, the report notes that 20 percent of the passwords were the company’s exact name or a variation (such as adding an exclamation point at the end). In an article published in Q4I Intelligence examining the issue with passwords, the authors noted that “people are becoming increasingly frustrated by the ridiculous number of passwords and PIN codes necessary just to navigate everyday life.” Discussing the impetus for the obvious passwords, the authors suggested that in some cases, folks made a simple password with the intent of going back to change it later, while others may be using the same password across platforms and systems or sharing passwords with family, friends, or coworkers.
However, Chad Hammond, a security expert at NordPass, counters that “Businesses and their employees have a duty to protect their customers’ data. A weak password of one employee could potentially jeopardize the whole company if an attacker used the breached password to gain access to sensitive data.” As such, he recommends that employees and HR folks adhere to the following steps to up their security game.
Keep it complex
Sure, a complex password that includes all the usual suspects (an upper case, a lower case, a number, and a symbol) is tough to remember, but such passwords are infinitely more difficult to crack. The easy ones mentioned above took hackers less than a minute to figure out, but if you truly pick a unique word, you’ll pretty much stop hackers in their tracks.
Long for the long
When hacking your system, the bad guys use software that tries different combinations of words, letters, or numbers until it finds a match. A password with just four letters would be far easier to crack simply because there are fewer combinations than a password with six or even eight letters.
Don’t recycle
Normally we’re all in for recycling, but when it comes to passwords, it’s best to throw out the old in favor of the new! You see, if you use the same password over and over you are potentially opening yourself up to being hacked not just on the one application, but across the board.
Set up a solution
That said, having quirky passwords to remember for just about every application you use on a daily basis can take up way too much brain space or have you constantly doing the “forget username, forget password” reauthentication process. Password management programs offer a secure way to store, access, and manage passwords, all in one spot.
Make it multi-factor
To further protect their systems, many companies are switching to multi-factor authentication (MFA), which requires multiple pieces of information from an employee in order to move forward with the sign on. For example, allowing users to input a username and password to access their email, but also texting them a PIN code to enter, before they can truly gain access.
Or stick to single
Where MFA requires multiple steps to access an application, single sign-on allows employees to enter a single username and password to access an entire suite of systems or applications. In doing this, employees will be more inclined to pick a more complex password, simply because they only must remember one, versus a dozen.
Don’t take it personally
Let your employees know that accessing their private accounts, such as social media or even online shopping, on company computers can open the company up to significant breaches. In addition, by not mixing their personal with the professional, they can ensure that their own personal data is not breached should there be a loophole in the company system.
Urge the update
Sometimes, a hacker will access your account, have a snoop around, and make incremental changes such as only pulling a few dollars out of the account to see if anyone notices. It is not until someone does something egregious, such as steal hundreds, that you may notice. However, if you update passwords regularly, you can thwart such attacks by kicking them out before they have a chance to wreak havoc.
