SoftwareOne logo

9.75 min to readDigital WorkplaceThought Leadership

The current state of password security in 2021

Ravi Bindra
Ravi BindraCISO
A woman's finger is pointing at a colorful screen.

Password security has been a hot topic since the internet’s inception. Once upon a time, securing your accounts was as simple as not setting your password as “password.” But over the years, the definition of a secure password has had to rapidly evolve in order to keep pace with hackers and other malicious actors.

Unfortunately, it appears that users are losing the fight. Surveys have found that at least 60 percent of company-related passwords fail to meet minimum security requirements such as not reusing passwords or using a word from the dictionary in the password. This oversight can have catastrophic consequences: In fact, Verizon has found that 81 percent of breaches occur due to poor password security.

This is especially problematic due to a stark increase in cloud adoption, as more data is stored in the cloud and logins are the first (and sometimes only) line of defense against hackers that want to use that data for nefarious purposes. Even if you have other security measures in place, a good password provides a simple way to protect against the vast majority of cyber threats.

Let’s shed some light on the common attack methods used by cyber-criminals and a few helpful tips for creating a perfect password to strengthen your security.

Common methods used by hackers

1. Ransomware

Ransomware describes trojans that are placed on the computers of their victims to block or encrypt data. Companies are not able to access their datasets until they have paid a certain amount of ransom money. This dirty trick is particularly effective when targeting companies that are highly dependent on their data. In many cases, the companies will transfer the amount of the ransom to an international account in Bitcoin currency. The best way to prevent ransomware is to install software that thwarts the attack before it can take effect.

video: How a ransomware attack can affect your business

2. Phishing and Malware

Many internet users believe they’re clever enough to dodge a phishing attempt or spot malware before they download it. Unfortunately, breach after breach has proven this assumption to be false and potentially very damaging.

Malicious actors use an array of techniques to trick employees. Perhaps they place malicious code into a Word document that later executes as a keylogger, which would reveal the password by tracking employee keystrokes. Or, maybe an offer for a free gift card will be enough for an employee to log in using company details. Employees need regular training and testing to ensure they’re truly being vigilant when it comes to these attacks.

3. Previous Breaches

Chances are, if you’ve used the internet for more than just a short stint, your information has been compromised many times over. Even the most careful people often have their information stolen through no fault of their own – for instance, the Equifax breach in 2017 led to hackers gaining passwords, among other information, from more than 147 million people.

That stolen information doesn’t get tucked away and hidden. Rather, the information is put up for sale on darknet marketplaces, where your information (along with hundreds or thousands of other logins) can be purchased for just a few dollars. Once your information is listed there, you could be attacked from all fronts using logins associated with that breach.

4. Brute force attacks

A brute force attack is a frequently encountered – if albeit somewhat crude – method used by cyber criminals. In this type of attack, the hacker runs a number of programs to input all possible combinations to produce a list of encrypted passwords. The method is simply repeated until the password is cracked. Some password cracking programs are even able to overcome basic security measures such as limits on how many incorrect passwords can be submitted. While brute force attacks are best at finding short, simple passwords, they can crack any password with enough time and patience. Rather smartly, the attacker will use one password on all accounts before trying the second password and in this way they will not be locked out of accounts.

5. Dictionary method

The dictionary method is similar to a brute force attack but uses slightly more clever methodology. Hackers often use programs that use lists of common dictionary words combined with a predictable series of numbers. For example, the program may choose a random word like “chestnut” and then punctuate it with “12345” or “123456789.” This simple method has become a formidable way of cracking passwords without the hacker exerting much time or effort as many employees will choose easy-to-remember passwords using real words.

Clearly, hackers have an ever-expanding list of ways to gain access to your account and all the sensitive data within it. To keep pace, read our tips for creating a perfect password.

Our tips for the perfect password

1. Variety is key

A secure password should on no accounts consist only of letters. You must also use numbers, special characters and caps to make a brute force attack significantly more difficult. However, make sure you don’t use any words out of the dictionary, or close analogues of those words. For example, the password “armadillo” will only take 16 minutes to crack using an unthrottled, online brute force attack, while '@rm@dill0' will take about an hour – which makes both passwords far too simple for practical use.

Instead, use a string of words, of upper and lowercase letters, numbers, symbols and non-dictionary words. This may mean using complex abbreviations, writing nonsense phrases, or using a random string of numbers, letters, and symbols.

2. Length matters

It’s easy: the longer the password, the harder it is to crack. The length of the code can be decisive, especially for brute force attacks. So if you use a seven-digit password consisting of caps, letters and numbers (62 characters), the possible number of combinations is 3,521,614,606,208 (over 3.5 trillion). The number rises to 218 trillion cycles needed to crack the code, merely by adding another digit. This means that if your password is comprised of more than 10 digits and additional special characters, a simple brute force attack would take several years to complete.

3. Don’t reuse passwords

Imagine if you used the same key for your house, car, office, mailbox, and storage. Losing one key would give someone the power to take almost everything valuable from you. Despite this, 13 percent of users report using the same password on all online accounts, with 52 percent of all internet users admitting they use the same password across many (but not all) accounts.

If a malicious actor purchases a list of passwords, they won’t just try to access the breached accounts. They’ll try to access your PayPal, work accounts, emails, social media, or any other channel that has something of value on it. All of your passwords must be unique – or else one breach can compromise your entire approach to online security.

4. The easy way to create a password

This trick shows you how to create a complex password that only you can remember. Think of a sentence and place the first letters of each word in a row. So the sentence, “My Name is Joe Bloggs and I was born on 1 January 1900!” would produce the following password: 'MNjJBaIwbo1J1900!' It’s long, contains numbers, special characters, caps and letters, and it’s definitely not found in any dictionary. Perfect!

The internet can also come to your assistance if you don’t want to think up your own password. There are plenty of password generators on the Internet that use random strings to produce a password. But be careful! It’s very difficult to remember these combinations.

5. Use a password manager

If you don’t think you’d remember your password is 'MNjJBaIwbo1J1900!' using the aforementioned mnemonic device, a secure password manager can help. Today, there are many password managers available with a variety of security and encryption options. Instead of needing to remember 10, 20, or 30 unique, difficult passwords, you only need to remember the password for your password manager. Using these applications will ensure you don’t get locked out of your accounts  and encourage the use of more unique, secure passwords.

6. Reset your password

The trickiest question among security managers: is it important to reset passwords regularly? And if so, in which intervals? It may appear sensible to change passwords regularly to ward off cyber-attacks, at least at first glance. But experts take a nuanced view. Many users only make minor changes to their password, turning 'password1' into 'password2'. These patterns are easy to predict. What’s more, people tend to choose easy passwords if they know that they have to be changed soon anyway.

To reset or not to reset? We recommend changing your password based upon how long it is. So for example, a 12-character password should be changed every six months. But an 8-character password should be changed on a quarterly basis. That’s also the general advice given by the Federal Office for Information Security (BSI). Most systems send an automatic reminder every 2 to 3 months to restore the password and it is wise not to ignore this advice. You need to reset your password immediately following a successful hack of a portal you use and the theft of data. The most important aspect is to use a secure password. Password generators are handy tools in this regard.

7. Use two factor authentication

Two factor authentication (2FA) is quickly becoming the standard for password security, as it can provide a solid line of protection even if your password is cracked. With two factor authentication, users verify their identity on two separate owned devices – for example, after they input the correct password on their laptop, they need to confirm their login on their mobile phone. This protects against the vast majority of cyber attacks as a hacker will rarely have access to both of your authorized devices.

Keep in mind 2FA isn’t foolproof and a great password is still an effective first line of defense. For instance, determined and sophisticated hackers can use creative methods like SIM swapping to temporarily gain access to mobile phones, allowing them to work around 2FA. To protect your most sensitive information, avoid using SMS to authorize your account and instead use a dedicated program like Google Authenticator.

8. Use biometric authentication

It’s possible that a hacker will be able to gain access to your devices and thwart 2FA, but it’s a lot more difficult for a malicious actor to steal your face or fingerprint. Years ago, biometrics were prohibitively expensive, or extremely easy to work around – but with advances in technology, anyone can use high-quality biometrics at an affordable cost.

Biometrics can take on a variety of forms – such as tracking your keystroke dynamics, scanning your fingerprint or retina, recognizing your face, or analyzing a signature. However, keep in mind that biometrics shouldn’t be your only form of authentication. An employee with a recent eye injury might fail the facial recognition test due to an eyepatch, or an employee with damp hands might not be able to use a fingerprint scanner. For this reason, a well-crafted password will always be an important facet of biometric authentication.

9. Top secret!

Some may believe that this tip is blatantly obvious, but it is still the most important one: never give anyone your password. Not even a friend, colleague or spouse. Also refrain from keeping notes of your passwords. While they make it easier to remember the codes, the implications can be disastrous if they fall into the wrong hands.

Conclusion

100 percent protection does not exist. Every password can be cracked somehow: The concern is how long it takes. The use of long combinations, comprised of letters, numbers and special characters is the first step toward effective protection of your data. That being said, security savvy organizations should always try to stay several steps ahead of hackers.

Following these best practices will help you improve your organization’s security but won’t provide end-to-end protection. If you’d like to take your organization’s security to the next level, services like vulnerability assessments and penetration tests will outline your strengths and weaknesses before a hacker finds them. By using a mixture of different strategies to secure your data, you’ll be better protected against malicious actors.

A blurry image of a computer screen with numbers on it.

Need help securing your data?

Our security and password experts are ready to help you with vulnerability assessments and penetration testing.

Need help securing your data?

Our security and password experts are ready to help you with vulnerability assessments and penetration testing.

Author

Ravi Bindra

Ravi Bindra
CISO

Ravi holds over 20 years’ experience as a cyber security evangelist, holding multiple leadership roles in the Swiss pharmaceutical industry, such as Global Head of Risk Management, Global Head of Architecture and Global Head of Security Operations.