Thou shall not pass! Cyber security experts advise businesses to rethink password protocol

For companies managing computer and other telecommunications systems, ransomware, malware that threatens to block or release a system’s data unless a ransom is paid, is a real concern.

“It’s a very large and growing problem,” said Mike Hawkins, president and CEO of Netizen Corp in South Whitehall Township. “It’s more pervasive than it’s ever been. Companies and local governments are getting hit every day.”

He noted that even the City of Allentown was the victim of a ransomware hack last year. But all companies, governmental bodies and organizations that have accessible systems should be worried.

Ransomware cost businesses an estimated $11.5 billion globally in 2019, according to Cybersecurity Ventures, a California-based cybersecurity researcher, with ransomware researcher, Coveware, saying the average ransom was nearly $42,000.

While the number one way hackers get ransomware into a system remains phishing, using emails that appear to be from a known party that illicitly collect data to aid in a hack, there is another easy way those hackers are getting in – weak passwords.

According to PreciseSecurity.com research, weak passwords are becoming one of the most common cybersecurity vulnerabilities, causing 30 percent of ransomware infections last year. Because of that threat, Don Douglas, senior cloud solutions architect at Weidenhammer in Wyomissing, said companies are beginning to take password protections more seriously.

“It’s an issue that has boiled back to the top,” Douglas said. “The attitude is different towards passwords from even two years ago.”

But, getting the right password balance can be tricky. Make a password too hard and a person can forget it and get locked out of their own computer. Make the password too simple so that it’s easy to remember can make it easy to hack.

The UK’s National Cyber Security Center issued a study last year that showed 23.2 million victims of ransomware, globally, had “123456” as their password. “Password1” is also a common default password that hackers will try, Douglas said. He also discourages using simple keyboard passwords like “querty” or “adsf.”

Children’s names, pet names, anniversary dates or birthdays also should be avoided, he said, because hackers can tap social media to get personal information that helps them guess at passwords.

Likewise, Hawkins cautions against shared passwords, whether you’re letting other people use your own personal password, or an entire department shares a password to get into a certain program. It gives hackers more points of entry.

He also said it’s bad for an individual to use the same password for multiple programs or devices, especially when going between work and personal use, a common problem in our bring-your-own-device culture.

“If you have a device that you use for work and personal use, hackers could potentially use that device to get into your work system,” he said.

Similarly, a company shouldn’t use the same password for different systems, such as, camera surveillance, HVAC and computers. “Then anything can be a gateway to other servers,” Hawkins said. “If someone gets in they have the keys to the kingdom.”

A better way

To make password protections more secure, Douglas said the simplest thing to do is to not rely on them entirely. Multi-factor authentication is the most popular way IT professionals are helping companies and individuals protect their computer and other systems.

“Ninety-nine percent of leaks can be avoided if multi-factor authentication is used,” Douglas said.

Using the system is relatively simple. A user memorizes a password, but when that is entered it triggers the system to send a code to the user through text or another device. That secondary bit of information is then needed to access the system.

“You enter the code just like a one-time password,” Douglas said. “It’s like having a new password every day, but you don’t have to remember it.”

It also adds a physical dimension to security. “They can have your password, but if they don’t have your phone they can’t use it,” he said.

For those who don’t have access to multi-factor authentication, both experts said the next best tip is to use pass phrases instead of passwords. A phrase, is easier to remember than a random word and can have more complex combinations that can’t be as easily cracked as a password.

For example “I_love_2_eat_tacos” has more characters is much more complex than “TacoGuy1” and should be just as easy to remember.

And if “TacoGuy1” is your password and you have to change it, DON’T make your new password “TacoGuy2,” it’s the first thing hackers would try if they had your old password, Douglas said.

“Oddly enough, however, the number one recommendation I have is ‘stop changing your passwords,’” Douglas said.

He said changing passwords too often can lead to people choosing poor passwords that are easier to crack, because they’re easier to remember.

People also tend to write them down then, which leaves them vulnerable to copying.

The first step to securing a company’s systems from a ransomware or other attack is to have a password policy to begin with, said Hawkins.

Make sure all staffers know what is expected from them with regard to keeping passwords secure, and more importantly enforce the policy.

Employees can be told what best practices are, but if everyone leaves their devices on a default Password1, a hack is likely on the horizon.