We all know the importance of passwords and that they protect our accounts from cyber criminals, but how serious are you about protecting those passwords and following best practices to ensure bad actors do not gain access to your sensitive information? You have learned from your IT department that you should use complex passwords with at least 8 characters along with numbers and special symbols, but do we really understand why that is and is that enough?
Let’s look at the chart below to visualize how long it takes the typical computer to brute force your passwords. Where does your password fall in this chart? Based on the typical corporate password policy of a minimum of 8 characters with upper case, lower case, and special symbols, you can see that it only takes 57 days to get through.
Cyber criminals are letting a computer program run in the background, and they may be doing this on many accounts at the same time. This is why your business has password policies that require you change your password every 45 days.
As computers continue to get faster and technology continues to innovate, you will see these times decrease. So how do you protect yourself as you move forward? Below you will find some very simple things you can do to prevent someone from stealing your password.
- Passphrases – Use a passphrase that contains multiple words and special symbols that do not make sense rather than a password.
- Reusing Passwords – Never use the same password for separate accounts and/or websites. If one password becomes compromised, other accounts will be at risk.
- Password Vault – Use a password vault such as Lastpass or Roboform so that you do not have to write down passwords or save them in an Excel file. An Excel password can be circumvented within minutes.
- Storing Passwords – It is risky to store passwords in a browser. This may sound convenient, but the vulnerabilities seen in most browsers put your credentials at risk.
- Change Passwords Regularly – Changing your passwords on a regular basis will keep your data safer.
- Enable Multi-Factor – Multi-Factor Authentication provides another layer of protection with devices that you may use. Some examples include: YubiKey, RSA, and Google Authenticator.
- Dark web – Monitor the Dark Web often for any leaked credentials.
Corporate Domain Monitoring
Stolen user credentials (emails/passwords) found on the Dark Web can indicate that your company, a 3rd party application, or a website that your employees use may have been compromised and that you should take action. Cybercriminals traffic and buy stolen credentials so they can infiltrate your networks to steal your data. By monitoring the Dark Web for stolen user data associated with your company’s domains, you can be alerted when a compromise is detected so that you can respond and stop a potential costly and widespread data breach.
Executive Email Monitoring
Your executive and administrative users often have greater access to systems, information, and sensitive data. If their personal email credentials are compromised, the attacker may be able to use social engineering to trick other employees to gain access or reuse the same user credentials to gain access to corporate systems. Therefore, it is important to monitor the personal mail addresses of these users, in addition to their corporate email accounts.