Most data breaches are not the result of sophisticated hacking schemes. Instead, most cybercriminals take advantage of weak passwords that they’ve stolen or simply guessed. The good news is that you can protect yourself and your company by using secure passwords, follow simple procedures to keep them secure over time and adhere to basic online security rules.
This week Verizon released its annual data breach study that revealed “63 percent of confirmed data breaches involvedleveraging weak/default/stolen passwords.” The report was based on more than 100,000 incidents, analysis of 2,260 breaches in 82 countries from 67 contributing organizations.
How do criminals get your password?
One way is by tricking you. Verizon found that almost one-third of phishing messages were opened — an increase of 10 percent over open rates in 2014. This type of malicious message is known as social engineering, a fancy term for an email or post on a social site like Facebook that convinces you to type in your password. Maybe you receive an alarming notice that appears to come from your bank: “We have detected unauthorized attempts to access your account. Please click here to reset your password.” Do it and the criminal has your login information.
Even the most secure password can’t protect your data if you voluntarily turn it over. Remember that your bank, a government institution or insurance company is unlikely to ever make this type of request. If you do receive such a message, do not click on any link or attachment. If you’re concerned, contact the so-called sender directly by phone or visit the official website.
Another way is by using a list of emails and either guessing passwords or running them through a computer program to find access online accounts. If your password is easily “guessable,” your data is at risk. Most people choose easytoremember passwords for their own convenience. The number one password for the past five years is 123456. In fact, using just the top 10 passwords, a hacker could, on average, guess 16 out of 1,000 passwords, according to security consultant Mark Burnett.
But even more sophisticated passwords can be surprisingly fast to crack with the right software tools. Web hosting company WP Engine conducted a fascinating study of passwords, including a sample from high level positions at well known companies. People that should know better choose weak passwords, such as a Google software engineer who used vm4951. How long did it take to break? Just three minutes. A Pinterest engineer’s wa11asey was broken in three hours. In contrast, a developer at GitHub (an open source coding site) chose ns8vfpobzmx098bf4coj, which would take “centuries” to crack, WP Engine found.
A secure password should not include any word found in a dictionary or any number associated with your personal information like a birthday. Make it random and make it long. The median length of a password is seven characters; it should be at least 12. While a strong password can be almost impossible to remember, you can write it down. And as you should know, always use a unique password for each of your accounts. That way if one is cracked, it can’t be used to open other accounts.
To further increase your security, change your passwords on a regular basis, ideally at least every six months. Why? Because passwords are often stolen without your knowledge and stolen passwords often aren’t used immediately. They’re collected, sold on the black market, rebundled and resold, and left unused for some time. If you change it periodically you may change it before a thief has an opportunity to use it.