Many people are still using the simple passwords they created in the early 2000s. Getting hacked wasn’t such a huge concern for organizations and their employees. However, as we become even more connected as a society, there is an increase in the risk that threat actors pose. For example, quoted in our article regarding the role of remote access in cyberattacks, brute force guessing of passwords was a factor in 78% of all ransomware attacks.
A simple look at the most common passwords in 2021 should make any security expert’s skin crawl. We have a problem when 123456 (and the „more secure“ 123456789) are the only ones more used than qwerty. Nobody wants to (or even can) remember the long random letter and number combinations. After all, it’s much quicker to tap in the same old password for everything – and to be very clear, this is a practice you shouldn’t be doing under any circumstances!
The most common passwords haven’t changed much. Their ongoing prevalence makes it a cakewalk for hackers to break in. So what can your company and your employees do about it?
- Use a password manager.
- Use Multi-Factor Authentication everywhere.
- Don’t share passwords, no matter what.
- Check for previous hacks and delete your old accounts.
- Avoid public Wi-Fi.
1. Use a password manager
Passwords are a pretty vulnerable security measure, but they’re unavoidable in most cases. You can, however, take steps to minimize the risk they pose.
A good password manager eliminates the need to create and remember complex passwords. It will generate a random, unique password when needed. You can then save it in an encrypted vault to use whenever you need it. Ideally, all passwords should generate strong, „makes-no-sense-if-you-read-it“ combinations.
Not only does this make it harder to crack into your account by brute force, but if one account becomes compromised, your others are still safe.
Users only need to remember the password manager’s password. Make sure it is a strong one that only you know. Some password manager apps can also use your smartphone’s biometric sensors to unlock. Personally, Bitwarden has proved to be a great choice, but there are many great options that your organization can deploy.
2. Use Multi-Factor Authentication everywhere
Using a password alone is like locking the doors but leaving all your windows open. You may have closed the easiest route, but the intruder can still get inside with a bit of work.
Most accounts will use multi-factor authentication (MFA). Once you have entered your password, you will get a code/link via text or email with MFA. You can also generate the code in a secure app (or approve the login). You will need to enter it to prove you are the account’s legitimate owner.
From a remote access perspective, MFA is a crucial step in ensuring that safety is at the forefront of remote sessions and that the users connecting to different devices are who they say they are. With our flagship product, VNC Connect, you can enable MFA to protect your account and the machines you’re connecting to. You will also get an email when connecting to a new device for the first time, ensuring your business can maintain total control over device access.
While texting or emailing a code is the most common second factor used in MFA, they aren’t the only options. Multi-factor authentication can combine multiple credentials that are unique to the user, such as:
- Something the user knows – a password or the answer to a pre-set question.
- Something the user carries to authenticate – a card or key fob.
- Something unique to the user – a fingerprint or facial recognition.
The benefit of adding a second layer of security is that the password is not enough to access an account. Even if an attacker has it, there is another obstacle to accessing the account. The benefits of MFA being part of your remote access strategy are immense.
And since we were mentioning password managers, make sure that you choose one that uses MFA – enable it and always use it!
3. Don’t share passwords, no matter what
While this might be obvious, many hacks happen because users tend to share passwords. And this has started occurring much more often since we all use streaming services. For example, more than a quarter of Netflix’s UK subscribers share their passwords. Since many users are likely to use the same passwords, many hacks are waiting to happen (let’s hope that at least they use MFA on their other accounts).
Additionally, if you can impose a password policy for your users, make it a complex one. Employees might not be pleased when having to change or remember passwords, but the long-term gains and extra security are second to none.
4. Check for previous hacks and delete your old accounts
Remember signing up for that random account ten years ago to enter a competition? Neither do we, but did you know that website got hacked in 2015? The more accounts your employees have, the more vulnerable your organization is to external risks – especially if you’ve used the same password everywhere.
You can check if your email address shows up in any data breaches at haveibeenpwned.com and sign up to get an alert when new breaches happen. A seasonal purge of old accounts will remove the burden of potential future attacks, leaving your company feeling more at ease.
5. Avoid public wi-fi
The internet has become so integrated with almost every aspect of our lives that in 2016 the UN declared internet access a basic human right. Public Wi-Fi is everywhere and a key player in compromising password security. On top of that, life beyond 2020 means flexible working is here to stay for many companies, indicating employees will have more freedom regarding where they work – from a coffee shop, a commuter train, or even an airport.
However, if you’re concerned about your company’s data security, you might want to advise not to connect every time a Wi-Fi notification pops up. When it comes to public Wi-Fi, there is no way of knowing who may be monitoring the session, from the URLs visited through to the keystrokes that users input.
The best way to browse risk-free is not to use public Wi-Fi, but sometimes it’s unavoidable when the 5G signal is non-existent.
Many reputable VPNs are available if public Wi-Fi is a must, even for smartphones. They will add an extra layer of security to keep data safe, especially for corporate devices.
Completely bulletproof security doesn’t exist. Taking all the steps available to protect data puts your organization in the next best position. If you are using a remote access solution, ensure it is secure and that it offers encryption on all connections, rich session permissions, and granular access control.
Cybercriminals will always look for new ways to weasel their way in, keeping us all on our security toes. It’s for us to make sure that they fail to succeed.
Updated for May 2022