The Risks of Weak Passwords and How to Avoid Them

Password blog head

SplashData recently released its list of the 25 worst passwords of 2013. For the first time since the company began compiling the list, “password” fell to second place with two-time runner-up “123456” taking the number one slot. Rounding out the top five were “12345678,” “qwerty” and “abc123.”

What’s troubling about this list is not just the weakness of these passwords but the fact that they are the most common on the Internet. While most people recognize the dangers posed by today’s cyber criminals, many users still engage in poor password practices.

Creating strong passwords and implementing strict password policies are a critical line of defense against today’s security threats. A good computer with the right algorithms can guess billions of passwords each second. Even passwords that that use common substitutions — such as “l0gic@l” or “k33p0ut” — can be vulnerable to the increasingly sophisticated technology employed by hackers.

Here are six steps you can take to improve the effectiveness of your organization’s passwords:

  1. Make passwords long and complex. Instead of a password, think of it as a passphrase, using a mixture of letters, numbers and special characters. Use at least 12 characters and avoid using anything personal, such as birthdays or names.
  2. Change default passwords immediately. Many times, default usernames and passwords are so easy that hackers can guess them with little effort. Many of the passwords in SplashData’s list this year were default passwords from a recent hack of Adobe.
  3. Use a different username and password for every login. Hackers look for username-password combinations. If a hacker learns one combination that is used multiple times, or even a common password, the damage can quickly turn from minor to devastating.
  4. Limit access to administrator passwords. Administrator accounts wield enormous power. The best way to ensure that they are properly controlled is to limit the number of people across your organization who have access to these accounts.
  5. Require employees to use separate passwords for business and personal use. Hackers who gain access to personal email or other login information will attempt to use that information to access that person’s corporate accounts.
  6. Revoke credentials when an employee leaves. Deactivating a former employee’s account is only one step. You also need to determine whether or not this employee had access to shared passwords or password-protected systems, revoke those credentials, and change the appropriate passwords.

It’s also important to monitor your systems for remote access attempts by former employees and other unauthorized individuals. Atlantic-IT.net’s outsourced IT services include comprehensive monitoring and management of critical systems. Our experts can help you detect suspicious activity and take appropriate action to prevent unauthorized access to your network.

A single cracked password can result in a data breach that will instantly damage your company’s reputation and credibility and cost you money and competitive advantage. Creating strong passwords, regularly changing these passwords, controlling access to your network and monitoring your systems are simple steps that can help you reduce that risk.