Protecting business accounts with strong passwords is an important part of any company's security strategy. However, if you simply tell your team to avoid using weak passwords like "123456" or "qwerty" because weak credentials can lead to data breaches, they will probably say "Okay" and then forget what you told them the next time they create a new password.One way to bring home the point that using weak passwords is dangerous is to use an interactive approach when discussing the topic with your team. Toward that end, you can use an online tool like Pwned Passwords, which lets you check a password to see if it has been compromised. Its database contains more than 320 million unique passwords that have exposed through real-life data breaches. Another tool that you can use is Kaspersky Lab's password checker. Rather than rating a password's strength, it takes a more fun approach by noting how long it would take a hacker to crack the password using a brute-force password-cracking tool.
Preparing for the Talk
Before discussing passwords with your team, you need to make some preparations. For starters, compile a list of commonly used weak passwords. If you need inspiration, check out SplashData's top 25 "Worst Passwords of 2016". You also need to create a list of strong passwords.In your lists, do not include any passwords currently being used in your business. You should never provide an unknown third party with a password you currently use or plan to use.Finally, create guidelines that your team can follow when generating passwords. For instance, you might use the following:
- Make sure the password is at least eight characters long — the longer, the better.
- Use uppercase and lowercase letters.
- Use numbers but not in a predictable pattern.
- Use special characters (e.g., percent sign, exclamation point, dollar sign) when possible.
- Make sure the password is unique and not a variation of a password used for another account.
- Do not use passwords that incorporate business or personal information (e.g., company's name, pet's name) as it is easy for cybercriminals to find this information on social networks like LinkedIn and Facebook.
- Do not use words found in a dictionary, proper nouns, or foreign words.
During the Talk
During the discussion, you can use the Pwned Passwords tool to demonstrate how often weak passwords show up in the exposed password database compared to strong passwords. You can also use Kaspersky Lab's password checker to compare how long it would take for a hacker to crack a weak password compared to a strong one.After you go through your lists, have the team come up with both weak and strong passwords to try in both tools. Be sure to let them know that they should not use any of their current passwords during this exercise.While the team is using the tools, it is important to bring up several points:
- Like business accounts, personal accounts are at risk if weak passwords are used. A good way to get your team's attention is to discuss the important of using strong passwords for personal accounts. If your team starts using strong passwords at home, they will be more likely to use strong credentials at work.
- Hackers count on being able to crack weak passwords when attacking businesses. Weak or stolen passwords are responsible for more than 80% of hacking-related data breaches, according to the "2017 Verizon Data Breach Investigations Report".
- It is dangerous to use a password for more than one account, even if it is a strong one. Cybercriminals know that password re-use is common, so they try using the compromised passwords to hack other accounts.
An Important Caveat about the Pwned Passwords Tool
When you are visiting the Pwned Passwords page, you might notice that it gives you the option of downloading the files that contain the breached passwords in case you want to check current and potential passwords offline on your computer. Although the passwords are in text files, the files are too large to be opened in a text editor (e.g., Notepad) or a spreadsheet program (e.g., Microsoft Excel). It requires a more powerful application like Microsoft SQL Server. Plus, each password is represented as a SHA-1 hash to protect the original value. (Some people use personal information such as names or email addresses as passwords.) As a result, you need to convert your password into a SHA-1 hash in order to search for it in the list of breached credentials. So, downloading the text files is only useful if you have a program like SQL Server that includes a function to convert strings of text into SHA-1 hashes.