Technology experts tell us the future is passwordless: we will log in with passkeys, biometrics, and other sources that attempt to identify we are who we claim to be.
For now, passwords are a part of life. A study by Statista found that Australian staff type in passwords 15 times each day, slightly more than the roughly 11 daily logins for people in the US, the UK, France, and Germany.
In many cases passwords are the lone defence between your account and cybercriminals, so it pays it get it right.
For businesses, passwords may be the only line of defence protecting critical email and finance accounts along with online platforms like websites and social media.
It might be fair to say that the most dangerous thing people regularly do online is reusing passwords. Research indicates anywhere north of 75 percent of people reuse their passwords usually in a bid to make life easier.
But this spells collateral damage. Cybercriminals will automatically, and at speed, test a password stolen from platform against others in a bid to gain more access. One stolen social media username and password is likely be used against other sites.
Every site and service therefore must have a new password, without exception. Begin by changing those reused (and default) passwords protecting your most sensitive accounts that hold financial, business, or personal information.
The easiest way to improve passwords is by using a password manager and never reusing the same password. But let’s look at some of the theory behind a strong password.
Most cybercriminals run automated password guessing attacks for common passwords. Accounts that are protected with the most popular combinations, like password123, or summer2024, are at especially high risk of compromise.
Randomised and long combinations are much more secure and are toughest to crack, so says the US Government standards body the National Institute of Standards and Technology (NIST)
Diving into the mathematics behind password-cracking (automated guessing) shows the power of long, randomised passwords. Doubling the length of a random six-character password makes it an eye-watering 62 trillion times longer to break (that’s more than nineteen sextillion four hundred eight quintillion possible combinations).
But remembering multiple 12-character passwords with random letters and numbers is extremely challenging. So how can you do it? One common tool people use to keep track of all their unique passwords is a password manager.
Password managers set, store, and recall long and randomised passwords for you making a once painful process all but set and forget.
They act like a bank vault keeping your passwords in a single place protected by strong security and a single password. Be sure to choose a widely-trusted password manager to ensure yours are kept safe.
A phrase as a password, known as a passphrase, is your best bet for the password you set for your password manager. These phrases are standard sentences with the capitalisations and spacing in the right places.
It must be unique both in that it cannot be a famous quote or expression, or reused anywhere else. Throw in a number or special character like !, *, or % somewhere that is easy to remember.
The best time to set up a password manager is now, but you will find things easiest if you do so when you buy a new phone or laptop or wipe an existing device. Activate your manager before you log into your apps and websites allowing the manager to capture those passwords as you enter them. Most managers will warn you if you have reused passwords and prompt you to change them.
Now, employees can save every password they’ll ever need in one system.
There are many types of password manager services available. Some are already built into many of the devices or applications you may use in your business today. For example, Google and Microsoft’s password managers are built into their devices and browsers.
Paid options also exist that work across all operating systems and devices. What you choose may depend upon the technology your business uses. If you use several different systems and applications, you may want to consider ease of use and integration across different systems.
If you only use a limited amount of technology from one supplier across email and web browsing, then free in-built options could help protect your business.
Password policies should be written down to set the standard for password strength and originality.
Password blocklists can be created that prevent staff from setting the most common combinations, like password123, or even those circulating in cybercrime forums.
Mandatory reset policies can also be set. While resets are common practice, the jury is still out on their effectiveness.
Pundits say it can help prevent password reuse affecting a business and neuter the risks of stolen passwords. Detractors say it does little to kick out cybercriminals who have already established alternative access to a network and encourages frustrated staff to weaken passwords they must manually enter by making them easier to remember.
Either way, ensuring that combinations are strong and never reused elsewhere should be the overarching goal of a good password policy.
Password education is now engaging and easy. Password breach notification services, like the Have I Been Pwned website run by an Australian security professional, allow people to enter their email address to see how many times their various passwords have been breached. Google operates a free and long-running phishing quiz.
Phishing drills which emulate some of the most common ways people are likely to have their passwords stolen help to train staff how to avoid becoming a victim. These drills must model the common scams most likely to be encountered.
They can be sent as emails that track the number of bad link clicks, or much more simply, as Google does, with an example phishing email sent out to staff.
Whichever you choose, never run phishing drills as a ‘gotcha’ exercise designed to trick staff and never punish or publicly name anyone who fails to spot the phish. Every one of us can fall victim to phishing.
It is a worthy exercise. Phishing attacks are often the gateway to breaches that can lead to the kinds of breaches that the National Cybersecurity Alliance says leads 60 percent of small businesses to close within six months of the disaster, and 72 percent to shut doors within two years.
There are also other security measures you use to help protect your business.
This security process asks employees to provide two or more verification factors to gain access to an account or application. It doesn’t just rely on a password. It adds other layers of security. This includes something like a smartphone or fingerprint.
Learn more about MFA and how it can help your business
Limiting the access people have to networks and important systems, known as least privilege, helps to constrain the potential damage from stolen staff passwords. Cybercriminals, at least initially, can only access the same systems and data as the victim employee. Ensuring staff can only access the minimum of what they need and cannot install whatever software they like helps constrain hackers.
Staff access must also be removed immediately after staff leave your company to both limit the impact from malicious ex-employees and the potential for those disused accounts to be compromised.
Choosing a password manager is a great first step but you must first understand your requirements.
Consider the different technology your business uses and what data you need to protect in order to get the most from your security investments.
The Five Knows Of Cyber Security [PDF, 91KB]
Involve your employees from the start. Show them how password managers and good password hygiene can keep them and their family safe, from personal banking and online shopping to gaming and social media, to forge a strong cyber culture in your business.
You can read more about password security via the The Australian Signals Directorate.
Insights and tips for small and medium businesses to boost productivity and empower teams.
Insights to help you review your cyber security strategy and help you protect your business and customers.
