How to Avoid a Password Breach
As bad actors continue to target IT environments big and small, cybersecurity is no longer an additional concern but a priority. While some methods of cyber attackers are extremely advanced, many underestimate the impact of simply implementing good password practices.
Password security is oftentimes forgotten, leaving organizations open to attacks. Hackers hijack or crack passwords to steal identities, access sensitive data and infect your systems with ransomware or viruses. In fact, cracked or stolen passwords are to blame in 81% of hacking-related breaches.
data breaches attributed
to compromised credentials
due to poor password security
With more and more of our lives becoming digital, creating and protecting unique, quality passwords is becoming increasingly important — and increasingly avoided. Although they can feel like a nuisance, proper password practices are essential to maximizing your IT security posture. As dangerous and expensive cyber attacks continuing to fill news cycles, businesses need to ensure they are minimizing every possible vulnerability.
Types of Password Attacks
- Brute Force – An attack method in which the hacker tries various combinations of user names and passwords repeatedly until they are able to login. This can be done either manually or by using an automated software.
- Keylogging – A type of spyware that logs your keystrokes and where you type them. The information is then analyzed by a hacker to determine passwords and other data.
- Phishing – An email technique used to trick employees into providing sensitive information such as login credentials. (Read more about phishing by clicking here.)
Tips for Keeping Your Passwords Safe
Never Share Password with Anyone
Sharing of credentials goes against best practices for security—period. Passwords should be treated like a social security or credit card number. If that information is provided to someone other than you, you risk having fraudulent accounts created under your name or charges to your credit card. Your password to any account should be guarded in the same manner. If your password is compromised, the people that have your password can take on your identity online.
employees openly share passwords with co-workers,
including IT support and providers
Secure by default IT and Managed Services Providers (MSP), such as Centre Technologies, do not ask for end user passwords when assisting with an issue. If someone calls or emails asking for your credentials, you need to treat that as a phish and not provide the requested information.
It's safe to share my credentials if I receive a call from someone claiming to be with our IT provider. Right?
Hang up with that person and call your IT provider back with the phone number they provide for support and inform them of what happened.
Our IT provider needs me logged in to troubleshoot an issue, but I have meeting and need to step away… What should I do?
Coordinate to start the troubleshooting prior to the time you need to step away and enter your credentials for the person needing them to troubleshoot your issue.
Use Different Passwords for Accounts
It is best practice to use different passwords for all online accounts. It is easy to have one or two memorable passwords to use across various online accounts. But if your password is compromised, bad actors now have access to all your online accounts.
reuse the same passwords
across multiple accounts and services
Reusing passwords from your personal accounts to your business accounts is especially dangerous. Although every business is a possible target for a cyberattack, large consumer platforms and retailers, such as e-commerce sites or department stores, are at a much higher risk. When a personal account password becomes a work-related password, the vulnerabilities of those consumer sites and retailers now become vulnerabilities to your business. Moreover, the breach of a personal account puts not only your information in jeopardy, but the information of your employees, colleagues, and customers.
Enable Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) Security
Two-Factor Authentication (2FA) adds another layer of password protection by making users go through an additional step before being able to log in. This provides another form of evidence that you are who you say you are, typically by entering a security code or pin that is sent to you via email, mobile text message or phone call. 2FA makes it harder for attackers to login to your account because they would also have to have access to your email account or another device to provide the code. And the security codes are usually only valid for a short amount of time and can only be used once. Multi-Factor Authentication (MFA) is best, as it requires two or more methods to verify the users identity.
Reset Password If Breach Is Suspected
There is a continuous influx of passwords being added and sold on the Dark Web, an unregulated part of the internet containing stolen data and information. Additionally due to the prevalence of password reuse, a single password found on the Dark Web can often be used to access and cause harm to various accounts.
To protect your accounts and information, monitor accounts for suspicious activity that may indicate a breach or leak. Specifically, be on the look out for:
- A notification from your account with an authentication code (MFA) when you have not logged in recently
Many accounts have incorporated multi-factor authentication (MFA), sending a confirmation code to another device after a log-in. If you receive this code without having logged in, it is a direct indicator that someone else, likely a bad actor, used your password to do so.
- A notification of atypical account access
Many online accounts can be configured to send a message when your account has been accessed by a device which is not flagged as a safe, known device. If you receive a message like this, check your account for any unwanted changes and reset your password.
- An inability to access to your accounts
If, when logging in, you know you have entered the correct credentials but continue to receive an error, it is possible that your password and account have been compromised. You will need to contact the organization to reset your credentials.
While these practices can help minimizes the chance of a password breach, they are not airtight. Using a secure MSP can help your business enjoy greater IT security without dedicating significant resources to continuous monitoring and response. Centre's managed IT service customers get a Dark Web report every month detailing email addresses and accounts that have been leaked to the Dark Web.
Additionally, Centre's IT security experts set up alerts for when an employee email address for a client has been involved in a recent breach. After confirming the correct email and password combination in the leak, Centre's team will notify the customer with a list of employees who have been compromised so they can change their password.
What should I do if I suspect a password has been compromised or believe it's been provided to another party?
Immediately change your password for all accounts currently using the same password.
Password awareness and protection is one of the first and least expensive steps to greater data and business protection. Although it requires a continuous commitment, a unique password which is kept private and monitored for exposure is crucial to preventing data theft. Moreover, prioritizing cybersecurity not only prevents business disruptions and unforeseen expenditures but also fosters greater trust between you, your fellow employees, and your customers.
Other Password Security Best Practices to Consider
Aside from having strong passwords and using multiple forms of verification, organizations can still be at risk. When employees resign or are terminated, it is best to deactivate their user accounts and disable any access they may have to the network (including wireless) right away. This will help safeguard your business against disgruntled employees who may have been let go and are looking for vengeance.
If you use an external IT Service Provider to support your business, another thing to consider is what their password policies are. Does the provider use the same administrator username and password for all of their clients? Does the administrator account password get changed when their technicians leave? Do they store any passwords pertaining to your business in a password management system or secure file?
Centre Technologies has multiple safeguards in place to protect passwords of local businesses with Managed IT Services. Multi-factor authentication, a password management system, and tight security policies ensure that your passwords are secure and help deflect cybercriminals from hacking your user accounts.
Be a thought leader and share: