Password Perfection



Businesses go to great lengths to protect their information, but many still underestimate how weak passwords can leave them exposed to cybercrime. Is it time to reset?


It’s Friday afternoon, just before a three-day bank holiday weekend, and a member of staff gets a call from a concerned-sounding specialist from the company’s IT security provider, who says he’s noticed unusual activity on the account – someone is trying to log on to the firm’s server from Japan using the staff member’s ID. The employee panics and says they’ve never been to Japan. The ‘specialist’ reassures them that he can do a quick check to make sure there’s been no breach. “Let me know your password and I’ll do it now,” he says.

We’ve all read the advice about not sharing passwords, but when staff feel vulnerable, and the adviser sounds knowledgeable and trustworthy, many still fall for it, says Jacky Fox, Director of Cyber Risk at Deloitte in Dublin.

“As part of my job, I have to test systems by hacking them, legally and with permission,” says Fox. “The first thing I do is look at online presence – information about an individual that’s public and could give us clues to passwords. The second is to visit their office and look around – at the walls, under the keyboard – to see if they’ve written it down. People do that. And even if they’ve changed it since writing it down, they often choose a similar password so they won’t forget it. ‘JohnAutumn’ becomes ‘JohnWinter’, ‘Kate2016’ becomes ‘Kate2017’. People think it’s a clever trick, but everyone does it.”

Passwords that your team members use to log on with every day are an often overlooked but crucial part of your company’s defence against cyber attacks. Hackers use them all the time to get into private accounts. They might run programmes that enter username and password combinations on tens of thousands of websites until one hits, use tools to watch traffic on public wifi networks, or phish for details via emails and phone calls.

“People generally underestimate the value of what they have in their company. Cybercriminals don’t,” says Jens Christian Høy Monrad, a senior intelligence account analyst at international cyber-security firm FireEye. “They’ll evaluate the data they want to steal. If they can’t monetise it quickly – for example, using it to take money out of accounts – they can break the data into chunks and sell it on underground markets. If they stumble across employee credentials that can access global organisations, they can put it up for sale, doing the dirty work for others who might want to access confidential information.”

So what should you do right now, at work, to rethink and reset the way your staff members approach passwords?


1. Change all default passwords

Retaining default passwords is one of the most common mistakes employees can make. Make sure new passwords set by staff are strong. It sounds obvious, but as Jacky Fox observed, what’s considered strong and clever to an employee is a hacker’s open door to your data.

For a long time, the advice has been to change passwords frequently, but that causes people to fall back on ones that are easier to remember, and therefore easier to hack. Fox says the guidance now is that it’s wiser and safer to encourage staff to pick a good password (a different one for each site they use) and to stick to it. Your staff can check it’s secure and strong by using password strength meters and, crucially, making sure they listen to that meter when it warns the password is too weak.

The National Cyber Security Centre says staff should have unique passwords for each protected site they use, and to choose ones they find easy to remember (like three-word phrases) but that someone who knows them well couldn’t guess in 20 attempts (so no children, birthdates, favourite holidays, sports teams, pets’ names, for instance). And base the password on something that can’t easily be found online. A hacker who gets as far as being prompted for a simple password authentication question (where you went to school, or the name of your pet) can easily find the information by logging on to your Facebook or Instagram account.


“People generally underestimate the value of what they have in their company. Cybercriminals don’t”

 Jens Christian Høy Monrad, Senior Intelligence Account Analyst, FireEye


2. Make sure you have password protection

We’ve got used to using screen-lock passwords or PINs on our personal smartphones and tablets, but office equipment should have them, too. Make sure the equipment has an encryption product installed (most modern machines have it built in) and, crucially, that it’s turned on and configured.

Important accounts should have two-factor authentication (known as 2FA), which can add another layer of security. It means people can’t log on before they’ve ‘proved’ their identity – a password and one other method, like a code sent to their phone or a fingerprint.


3. Review staff access

Monrad says when FireEye carries out incident responses, it’s often with companies that have historically been generous with handing out admin privileges to every user within the organisation, even when it wasn’t necessary for them to have access. “Staff who don’t use sensitive data but have administrative privileges may be the ones who have an easier password to break,” he says.

“Criminals make their way into a company by compromising that person rather than scoping out someone who is looking after sensitive information and may have more security on their computer.”


4. Beware phishing

This is still the most common tool used by hackers. “Phishing commonly involves staff getting an email link to something authentic looking that asks them to change their password. They do it and go home, not realising that they’ve opened the door so their data can be grabbed,” says Jacky Fox.


5. Make staff aware

“I’d recommend three things: training, training and training,” says Fox. “And make it real. A one-hour talk and a PowerPoint presentation aren’t always enough. Staff need to understand the risks to the company, what hackers are looking for and why, and how vulnerable the information they hold (and therefore the business they work for) can be if passwords aren’t protected.

“In the cyber-security industry we have a long way to go to try to protect people from themselves, and a big part of that is education.”



No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Friday, 19 July 2019
If you'd like to register, please fill in the username, password and name fields.

Member Login

Business Insights & Tips


Jill Holtz
1878 Points
Tena Glaser
1386 Points
Michael Lane
802 Points
Ron Immink
732 Points
Fionan Murray
719 Points
View Leaderboard