Cybersecurity advisors continue to identify that the use of strong passwords is one of the first lines of defence in protecting your employees from falling victim to a cyber attack.
Passwords that can be easily guessed, or that are shared across multiple systems, are the targets of brute force attacks, which exist to access your networks and compromise your business data.
Unfortunately, Australian's are listed among the worst in the world for their password hygiene practices, with the 3rd Annual Global Password Security Report by LastPass finding that:
- 5% of Australians report not changing passwords in the past 12 months despite a breach in the news.
- 80% of data breaches are linked to passwords.
- The average number of passwords used per employee is 66.
Further to this, data from their recent Psychology of Passwords survey shows that:
- 90% of Australians know that using the same password on multiple accounts is a security risk, yet 69% continue to use the same password anyway.
- Only 18% create a complex, unique password for their work account, and for 36% there is no difference between work and personal passwords.
So, what can you do to ensure that your employees are creating strong passwords to protect your business?
Recommendations from the Australian Cyber Security Centre
To mitigate cybersecurity incidents caused by password breaches, the Australian Cyber Security Centre (ACSC) advises the following:
- Require all users to periodically reset passwords to reduce the ongoing risk of credential compromises.
- Consider increasing password length and complexity requirements to mitigate the risk of brute-force attacks being successful.
- Implement a lockout for multiple failed login attempts.
- If credentials have been compromised, reset passwords as soon as possible.
- Discourage users from reusing the same password across critical services such as banking and social media sites, or sharing passwords for a critical service with a non-critical service.
- Recommend the use of passphrases that are not based on simple dictionary words or a combination of personal information: this reduces the risk of password guessing and simple brute-forcing.
- Advise users to ensure new passwords do not follow a recognisable pattern: this reduces the risk of intelligent brute-forcing based on previously stolen credentials.
The Basics of Creating a Secure Password
In previous articles, we have discussed the fundamentals of how to create a secure password. Let's touch on them again below.
1. The longer the better: At a minimum, you should have 8 characters in your password or passphrase, however, we recommend 12 or more.
2. Complexity: Adding numbers and characters greatly increases the strength of a password, as does a combination of lower and upper case letters.
3. Avoid repetition: Try to avoid creating a complex password, then incrementing it by one character each time you’re asked to change it. And remember - it is essential not to use the same password across multiple devices and systems. This is where the use of a password manager program can come in handy.
4. Avoid obvious words/phrases: It concerns us that we still have to say it, but don't create passwords using obvious phrases like “Password1", "QWERTY", "asdfjkl", "abc123". Dictionary brute force cyber attacks start with these obvious phrases.
5. Don’t write it down: Don’t record your password anywhere, especially not on a post-it note on your desk!
Educate your employees on the importance
The ACSC also recommends prevention techniques such as clearly documenting cybersecurity policies and cybersecurity awareness training for all employees.
The purpose of Cybersecurity awareness training is to educate staff about cyber threats and attacks they may be subjected to each day, including the importance of good password hygiene.
Cybersecurity awareness training also ensures that you and your employees understand the part everyone must play in protecting your organisation and client’s data.
How can Diamond IT help?
If you want to educate your employees on how to create and maintain secure passwords, our staff education programs and policy and procedure reviews can help. Our Business Technology Consultants are specialists in improving your internal cybersecurity.
- Cybersecurity awareness training
- Cyber and Data Breach consulting and forensic analysis
- Disaster Recovery (DR) planning
If you need advice on how you can ensure your cybersecurity strategy is fit for purpose, our team of Cybersecurity experts are ready to help. Contact our team on 1300 307 907 today.