Low Security Account Credentials
Although it should be common sense, employees need to avoid the use of passwords that are easy for hackers to guess. Among the top ten worst passwords according to Splashdata, are those that use a series of numbers in numerical order, such as <123456>. The names of popular sports such as and are also on the list as are quirky passwords such as and even the word itself.
Emphasis should also be placed on the importance of avoiding common usernames. In analysis conducted by the information security firm Rapid7, hackers most often prey upon these 10 usernames in particular:
How Attackers Exploit Weak Passwords to Obtain Access
While most websites don’t store actual username passwords, they do store a password hash for each username. A password hash is a form of encryption, but cybercriminals can sometimes use the password hash to reverse engineer the password. When passwords are weak, it’s easier to break the password hash.
Here is a list of common word mutations hackers use to identify passwords if they feel they already have a general idea of what the password might be:
• Capitalizing the first letter of a word
• Checking all combinations of upper/lowercase for words
• Inserting a number randomly in the word
• Placing numbers at the beginning and the end of words
• Putting the same pattern at both ends, such as <foobar>
• Replacing letters like <o> and <l> with numbers like <0> and <1>
• Punctuating the ends of words, such as adding an exclamation mark <!>
• Duplicating the first letter or all the letters in a word
• Combining two words together
• Adding punctuation or spaces between the words
• Inserting <@> in place of <a>
Educating end users on these tactics underscores the importance of creating long passwords (at least 12 characters) and applying multiple deviations, rather than something simple like just capitalizing the first letter.
Nine Tips to Strengthen Password Security
- Change passwords at least every three months for non-administrative users and 45-60 days for admin accounts.
- Use different passwords for each login
- Avoid generic accounts and shared
- Conduct audits periodically to identify weak/duplicate passwords and change as
- Pick challenging passwords that include a combination of letters (upper and lower case), numbers and special characters (e.g. <$>, <%> and <&>).
- Avoid personal information such as birth dates, pet names and
- Use passwords or passphrases of 12+
- Use a Password Manager such as LastPass where users need just one master
- Don’t use a browser’s auto-fill function for
An advanced and under-used password security tip to strongly consider is two-factor authentication, which is a way for websites to double confirm an end user’s identity. After the end user successfully logs in, they receive a text message with a passcode to then input in order to authenticate their ID.
This approach makes sure that end users not only know their passwords but also have access to their own phone. Two-factor authentication works well because cybercriminals rarely steal an end user’s password and phone at the same time. Leading banks and financial institutions enable two-factor authentication by default, but if not, the service can often be turned on by asking the website to do so. More and more non-financial websites and most popular social media sites now offer two-factor authentication as well.