According to the National Cyber Security Center in the UK, British people have an average of 22 passwords. If you take that number as an indication for the rest of Europe and the world, that’s a lot of passwords! A password is probably the most common security measure used to protect information. Therefore, it is important that they are safe.
How are passwords hacked?
Passwords can be hacked in a number of ways, and some methods are more complex than others. You may remember the viral image shown below. The image is from the Hawaii Emergency Management Agency and shows a password written on a post-it note.
Now, “spying on post-it-notes” may not be the most common way for hackers to access passwords, but it shows how easy it can be. Here are some of the most common techniques hackers use to access passwords.
Shoulder Surfing – Sometimes something as easy as looking over a shoulder can be enough to find out someone’s password. Shoulder surfing is when someone looks over your shoulder when you type your password. However, shoulder surfing is more common for when stealing credit or debit card PIN numbers, for example when you enter your PIN to make a cash withdrawal at an ATM.
Brute force – Brute force can be described as a trial-and-error technique. Specialized automated programs guess the correct password by trying billions of different combinations of words, numbers and characters. The Brute Force program can be controlled by the hacker himself, who can control which words the program should especially focus on based on information available about you, such as date of birth, family members, favorite football team, pets etc.
Key logging – Key logging is a type of malware often spread through email, encouraging you to open suspicious attachments or click on strange links. Once the keylogger is installed on your computer, it will wait for you to start typing on your keyboard. It then logs everything you write and sends this information to hackers, who will then have access to your passwords and other sensitive information.
Social engineering – Social engineering is an attack where hackers use various techniques to try to manipulate users to reveal their passwords. A common social engineering technique is phishing, where emails appear to come from a trusted sender, such as banks or authorities, so that you will be willing to reveal passwords or bank details. Instead, a hacker is behind the message, and your information is put in danger.
Ways companies can improve password security
We have reviewed some of the techniques hackers use to access passwords. So the question now is, how can companies improve password security? The first thing to do is to write a password policy. A password policy outlines guidelines on password quality, how to manage passwords, what requirements are required for things like transfer and password storage. Do you need to comply with safety standards such as PCI DSS? Make sure your password policy follows the security standards you must comply with.
Blacklist the most common passwords – To avoid having employees use simple passwords, a tip is to blacklist common passwords like 123456 and Password1.
Use two-factor authentication – strengthen your passwords by using two-factor authentication. Two factor authentication is an additional requirement to see that you are you. The user will be prompted to enter more information after entering his password, such as a code sent via SMS. Two-factor authentication is a good additional security measure for, for example, remote access and administrator accounts.
Use technical solutions to help your employees – There are, for example, Password Managers that help users create secure passwords, and then keep these encrypted. Single-sign-on solutions can also be implemented to reduce the use of passwords.
Do not store passwords in plain text.
Educate your staff – The safest way to achieve success is to involve the entire organization, and this also applies to password security. Educate your staff about your password policy, encourage them not to use the same password privately at work, help them avoid using simple passwords and teach them the hackers’ tricks they use to steal user data.
Ensure you have other protective mechanisms in place – Password security is important, but as a company, you also have a responsibility to ensure that access to your business secrets is not dependent on the complexity of one individual’s password. Prioritize security on all levels and have other protective mechanisms in place to protect your sensitive information, such as secure servers, a firewall and an HSM.