Regularly, in the news today, there are stories about major companies being hacked, their customer data stolen, and their customers left stranded. From big-box retailers like Target to credit keepers like Equifax. Hackers commonly use this stolen data from one site to access others where login credentials have been reused between accounts. In some cases, access to bank accounts has been gained simply by using a compromised email account.
Businesses and individuals can face significant losses simply because a third party outside their control has been hacked or compromised.
The Danger Of Old Passwords
MySpace is a key example of why old and possibly forgotten services pose a security danger when passwords haven't been regularly changed. Once a thriving popular network, the use of MySpace services declined drastically from 2007 onwards. While many people moved to new social networks, old accounts typically remained abandoned on their servers. Hundreds of millions of accounts remained on MySpace servers many years past the firm's peak.
In 2016, MySpace suffered a data leak which exposed usernames, emails, and passwords of 360 million user accounts. Shortly after the hack, these details were published online for anyone to see. This is where the danger of old passwords comes into play, especially if you've been using the same password, or variants of it, for 10 years.
Password Reuse - Compounding the problem
Sticking with the MySpace breach, many of the accounts that were leaked were used to access email accounts, servers, vendor websites and more. How? Because these accounts used the same or similar email address and password as the MySpace accounts. Many people use the same or similar combinations of email usernames and passwords across a multitude of sites and, more than old passwords, this password reuse is a major concern.
Hackers regularly check stolen credentials on a variety of different sites to see if those same "keys" work in different locks. Even if the direct combination doesn't work, a little tinkering and some social engineering will commonly yield the correct combination if the login is similar. For example, if the hacker has the credentials firstname.lastname@example.org and Password, they will also likely try things like Password1, passworD, pAsswOrd and more until they gain access to the account.
Even if you have never had a MySpace or social media account personally, how many of your employees or coworkers have one or more? Many have had more social media, forum, or game accounts than they care to remember. Have their passwords been updated since 2016? 2013? 2010?
Your business network protects your systems, work, and intellectual property. For many firms it's the single most critical component, the backbone to business operations. Keeping it secure regardless of the number of people, staff or clients using it is a crucial task.
Consider how many people currently have access and how many of those may reuse their password on another website or service. Just reusing your password once can expose you to the hacking of a third party entirely out of your control.
How Can I Tell if a Password is Stolen?
Unfortunately, there's no 100% sure-fire way to know if a password is stolen but there are ways of checking if a password is known to be breached. Websites like haveibeenpwned.com allow you to type in various passwords that you may use and it will check them against various known breach lists to see if it appears in any of them. If it does show up, you should change that password immediately on all accounts that use it. If it doesn't, that's good but keep in mind this only checks against known lists so it's not perfect. If your password happens to be floating around on a list that isn't publicly known you would still be at risk.
Tips for Strong Passwords
With all of this in mind, here are some tips for creating a good, strong password policy for not only yourself but employees as well:
- Use unique passwords for every login.
This is rule number one here. This not only helps prevent old passwords from coming back to bite you, but in the event a breach does happen, you have far fewer accounts potentially exposed.
- Change passwords regularly.
Set yourself a regular interval and plan on changing passwords like clockwork. If you're using unique passwords for accounts, you can stretch this interval a little bit but it should never be more than one year between password changes.
- Use multiple character types, even on sites that don't require it.
Not all websites require numbers or symbols or capital letters. But that does not mean you shouldn't use them. The strength of a password is determined by both length and complexity. A long password with many different types of characters in it is much stronger than a long one with only letters.
Making Passwords Easier
Taking action on the tips above is easier said than done. After all, try remembering a few dozen lines of garbled letters and numbers among everything else you have to deal with during a day. Fortunately, this is where password managers come into play.
Password managers are a great tool to help you not only keep your passwords "memorized" but also help with remembering to change passwords, manage extra security measures like 2-factor authentication or even manage which accounts employees are able to access and use. There is a big variety of password managers available now days but most of them function the same. You simply remember one password and from there the manager will handle logins and your remaining accounts. This removes the need to remember everything and enables you to use much stronger passwords than you otherwise may be inclined to use.
Speaking of stronger passwords, having trouble coming up with a good password for each account? Password managers can help there too. Many of them include a password generator which will automatically spit out a completely random password using parameters you specify (ie: must have numbers and symbols and be 20 characters long). This makes creating and changing passwords a breeze as it takes all of the thinking out of it. It also eliminates one of the most common employee excuses for bad password practices that they cannot think of a good combination.
Using a good password manager will allow you to hit all of the checkboxes above in a neat and tidy way and we highly recommend using one. Not only for business but even personal use (although we do not recommend using the same account for both!).
Other Avenues of Password Management
If using a password manager doesn't sound like your thing, or if you already have a system for keeping track of your passwords. You should make sure that it is flexible enough to handle the best practices outlined above. A couple of things you should ensure your system has:
- Make sure it's easy to update
- Make sure it supports at least one password for every account you have
- Make sure it allows for password histories
- Make sure it is easily secured
There are a number of other tips as well however these are the most important ones and should serve as a foundation for any system you devise for keeping track of accounts and passwords.
Passwords are Only as Strong as Your Policies
Regardless of what you use to keep track of your passwords, and regardless whether you're a one-person business or a thousand-person enterprise, password policy is definitely something that you should take very seriously. Attacks against companies of all sizes are increasing at an overwhelming rate and show no signs of slowing. Having a strong password policy is an important layer in helping secure yourself and your company against both direct attacks as well as the fallout of third-party breaches.
Still have questions about coming up with a good password policy or setting up a password manager?