Employees at Fortune 500 companies were found using passwords that could be hacked in less than a second, according to NordPass.
Relying on passwords for security has become increasingly problematic. Devising and remembering a complex password for every account and website is virtually impossible on your own. Yet using weak and simple passwords is a recipe for data breaches, account takeovers, and other forms of cyberattack. A report released Wednesday by password manager NordPass looks at the repercussions of weak passwords and suggests ways to improve your password hygiene.
SEE: Cybersecurity: Let's get tactical (free PDF) (TechRepublic)
For its report The misfortunate passwords of Fortune 500 companies, NordPass researchers analyzed data from public third-party breaches that affected Fortune 500 companies. The data included details from more than 15 million breaches across 17 different industries.
The researchers looked at the top 10 passwords used in each industry, the percentile of unique passwords, and the number of data breaches that hit each sector.
The word "password" is still being used and misused as the most common password across all industries, including retail and e-commerce, energy, technology, finances, and even IT and technology. Among other passwords in the top ten list, some common choices were "123456," "Hello123," and "sunshine."
Some 20% of the passwords uncovered were the exact name of the company or a slight variation of it, such as the company name followed by a number or year. The hospitality industry was saddled with the greater number of passwords that were the company name or a variation.
Employees in some industries turned to their own specific types of weak passwords. The word "snowman" was a popular password for the energy sector. The word "Profit" was a common one for the financial sector. And the word "myspace1" was a hot one for the media and advertising sector.
SEE: Extra security or extra risk? Pros and cons of password managers (TechRepublic)
Some of the weak passwords uncovered seem almost comical, but this trend has serious ramifications. Weak passwords are actually one of the leading vulnerabilities that lead to data breaches.
As one example mentioned by NordPass, a Florida water treatment plant that suffered a computer breach last month was not only running an unsupported version of Windows with no firewall but was using the same shared TeamViewer password among its employees.
In another example, the infamous SolarWinds hack may have been triggered in part by someone who used a password of "solarwinds123" to protect a secure server. Though company officials have denied that the weak password played a role, SolarWinds was reportedly warned of the poor password by a security expert but took two years to change it.
An IBM report cited by NordPass found the average global cost of a data breach to be $3.86 million. A data breach in the healthcare industry costs significantly more at around $7.13 million. Further, data breaches in the United States are among the most costly in the world, averaging $8.64 million.
To help organizations and individuals adopt better password habits, NordPass offers the following guidelines:
Use complex passwords and update them regularly. Security experts agree that a strong password contains at least 12 characters, uppercase and lowercase letters, numbers, and special symbols. To create a complex, strong password quickly and easily, try using a password generator, which can be found in most password managers. But due to frequent data breaches that often expose passwords, avoid reusing your passwords across different sites and accounts and update them regularly.
Use a password manager. Juggling a different complex password for every account is unworkable without some help. Consider adopting a password manager within your company. Such a tool provides a secure way to store, share, and manage passwords in a single place. Many vendors offer business versions with additional security features for enterprise customers. Beyond NordPass's own product, other password managers include LastPass, Dashlane, Bitwarden, 1Password, and RoboForm.
Use multi-factor authentication or a single sign-on. Multi-factor authentication requires you to provide two or more verification factors to access an online account or application. The main benefit of MFA is that it enhances your organization's security by asking users to identify themselves by more than a username and password. Another idea is to leverage single sign-on and password synchronization. With single sign-on, employees are less likely to revert to bad password practices, such as creating common passwords or writing them down.
Educate your employees. IT and security professionals need to make their fellow employees aware of the importance of password strength. Explain to them why mixing their work and personal accounts could be dangerous. Avoiding poor password habits ensures that an employee's personal identity is protected and that company data is safeguarded in the event of a breach. You may also need to look into establishing company-wide password policies.
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
- Shadow IT policy (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- All the VPN terms you need to know (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)