Is A Password Protecting Your Employees? Part 1
You may remember a series of high profile hacks that some big companies fell victim to a while back. The most recent one was Ashley Madison, and you saw the resulting debacle and fallout after all that information was made public or fell into the hands of the wrong people.
Now you might be thinking that your business isn’t the sort of high profile, big business that hackers would normally want to hack. After all, hackers love the challenge, risks and rewards and only the top companies offer that, right?
That’s not wrong, but that’s not right either. Some hackers love the challenge and thus work to get into the big businesses. But others that are learning or “looking to gain work experience” will aim for smaller companies first. Work your way up, as they say.
Even if we’re not talking about hackers, there are still individuals out there (like your competitors) who would love to have your company data. In this day and age, along with the discovery of the dark side of the Internet, it’s not unheard of for competitors to search for “individuals” with the expertise to infiltrate company security and get your information.
But of course, we have ways to protect ourselves now. For almost everyone in the world, we have passwords. Passwords allow our devices and online accounts to be accessible to those who know them. In most cases, this is our first and last line of security.
In light of the high profile hacks and information leaks however, you have to wonder: is a password enough to stop people from accessing important and/or private information?
The good news is yes, yes it is! A password stops many people from trying to access your information. When most people see the password screen, they might try a few things but will ultimately give up.
The bad news, unfortunately, is no, it’s not. For any individual with the know-how or password-generation software, passwords are not as safe as they used to be, especially when you factor in our own habits.
But You Just Said It Was Safe!
For 99% of the people who try to access your information without the right password, they are honest individuals in need of a reminder. A password screen immediately reminds them that they are not supposed to get in, and they will stop.
Everyone else who continues to try either:
- Forgot the password but is going off of their memory
- Someone who is guessing randomly (and gives up after a few tries)
- Someone who knows the password, but due to other factors the password isn’t working
That’s the good news.
The problem is the 1% of people who are well aware they are accessing your information without knowing the password. They are:
- Going to guess your password off of your habits, information and previous passwords
- Going to generate your password by running every single possibility, one letter/digit at a time or all at once
- Have already obtained the password through password keylogging or some other solution
This is the bad news.
This Is Ridiculous, Passwords Aren’t That Easy To Guess!
That’s very true, otherwise passwords would be ineffective, right?
Yes and no. Passwords need to be easy to remember but hard for other people to know. So many people use the following as passwords:
- Their name (first, last, middle or any combination of the three)
- The name of their significant other
- Name of a family member
- Their birthday
- The word “password”
- A pet’s name
- Their address
- Favourite phrase
You might think this is ridiculous, but a good percentage of people will realise that their passwords fall into those categories.
What’s even worse is that you’re not the only one who knows this information. Other people, like your friends, know this too. So if your friend didn’t know your password but wanted to “guess”, they actually have a few decent possibilities and a significantly higher chance of success than if they tried randomly.
My Password Is In None Of Those Categories, It’s Safe!
That is fantastic!
Only, the list I wrote was just the fundamentals in password logic. For children, their passwords are going to fall under those categories. When we teach them IT, these are the examples we use and tell children to expand upon.
People are naturally lazy though, and you will think “As long as other people are kept out, why should I change?” This is why people never go past those categories.
When your password is unique and not something people would know about you, it’s an improvement, but not much better.
There’s only so much you can do to make your password unique through words. Thankfully websites got smart and decided to tell people that their passwords were low, medium or high strength and how to make them strong. Some websites also refuse to accept any password that is weak and insist they must be at least medium strength to be used.
So I Just Need A Strong Password and I’m Fully Protected!
To illustrate what password strength is, I’m going to use a random password “pie” (Note: this is made-up and not at all representative of any password).
“pie” is a weak password. It’s 3 letters, a single word (short), easy to type and a common word. By Internet standards as long as anyone knew your password was 3 letters, it would not offer a lot of security.
To make it more secure, we make it longer by adding “blueberry” to make it “blueberrypie”. It’s longer and not just a single word, but still easy to type and somewhat common. This would still be a weak password, but stronger than “pie”.
This is where the fun bit comes in.
If the password is “Blueberrypie”, it’s the same length, but now not a single word and considered harder to type (not everyone thinks to capitalise). It’s now an uncommon word. This is the minimum requirement for medium strength passwords. And all I did was capitalise the first letter.
Of course, some websites consider that weak, so you can strengthen that password by adding numbers and symbols. More examples would be “Blueberrypie8” or “Blueberrypie@”.
These passwords are longer AND harder to type, and now a “rarer” word (because words usually don’t have numbers or symbols).
If we put the two together, so “Blueberrypie8@”, this is the minimum requirement for strong passwords. Numbers and symbols together make a word extremely rare, and put together with two or more words makes it harder to guess.
Strong passwords are rarely used, which is why they are strong. Strong passwords usually put in lots of numbers and symbols to the point where even if people knew your password was “Blueberrypie”, you’re the only one who knows the combination and consistency.
Examples would be “B1u3b33ryp!3” or “Bl*ueB33ryP!e”. A really strong password may not even resemble that, leading to “b|U3B377y3.141!” which is confusing but hard to guess.
Now I don’t know about you, but most people do not have a password that’s really strong. At most, it’s just barely considered strong, and only on a few websites.
Before you decide to make a password too crazy, remember you still have to type it in and remember it. So if it’s too complicated, you not only ruin the point of a password, but now have to think of something you can actually remember.
But My Internet Browser Can Save Passwords For Me!
Another fantastic invention of the Internet. Because writing down complex passwords can be too time consuming and paper lists can be stolen (also you can dispute your own writing), browsers offer to have us save a password for a website. They often pair it with an account name so you don’t have to type everything in.
This is also exclusive to your own personal account on your own device, so this only saves passwords, say on your Firefox browser for your desktop computer at home. Firefox won’t have this information if you use Firefox on your friend’s laptop or smartphone, which is great because that’s good privacy.
It’s also great because if my password was “supercalafragalisticexpialadocius”, I’m not a fan of typing it repeatedly (plus a single mistake is hard to correct).
Despite password-saving being a great invention, it’s made us lazy and has exposed one big flaw.
There’s a good-to-fair chance that you’re using the same password for ALL websites and devices that need a password.
What’s Wrong With That?
Theoretically, nothing. If people are unable to get past a single defence, what’s the problem with using the same defence repeatedly? They can’t break it, why change it?
Going off of that however, the moment someone breaks through, ALL your defences become useless.
To put that in a real life perspective, if a stranger gained access to your normal home and your summer house (you may not have one but let’s pretend you do), you would already be extremely concerned for your safety.
Now imagine if a stranger had access to 30+ of your houses.
That’s essentially the risk you run by having the same password on every website and/or device.