Cyber criminals are always on the hunt for more passwords to give them access to financial accounts as employees remain lax about changing them into more complicated ones.
The latest attack affected millions of email accounts such as Google, Yahoo and Microsoft. Consumers and employees continue to favor reusing their passwords and their combinations, making it easy for hackers to decipher and sell them on the black market known as the "dark web." Even seemingly innocuous accounts such as LinkedIn and Netflix have been the target of hackers, because password security is not a priority among consumers who halfheartedly make them more complex or change them on a routine basis.
The risk for companies is high because employees could be increasing the likelihood of being hacked, since "nothing stops a user from changing their social network password to the same one used at work," said Gilad Peleg, CEO of SecBI, a Be'er Sheva, Israel-based company that provides threat detection.
Using the same password or a weak version of it by adding a number or symbol will not thwart hackers, because they are well aware that people tend to use the same ones for multiple accounts.
Many people rely on a system which is fraught with problems because they tend to create only two to four passwords - one for financial transactions, one for social media and one for shopping or anything else, said Chris Roberts, chief security architect at Acalvio, a Santa Clara, Calif.-based provider of advanced threat detection and defense solutions.
"So you end up with the same patterns - 1broncos! for work, 1mymoney! for finance and 1qwerty! for social media," he said. "These examples are giving the end user some credit, especially since the top 20 used passwords is full of gems such as 123456, password1, qwertyuiop, 123456789 and football."
The mentality embraced by consumers is lackadaisical, making the work for hackers rather simple, because their work is often limited to cracking one password.
"As a hacker and with the mentality of one, the rule is simple: I am going to run it through a script and try everything else I can possibly try such as social media, all the banks, all the storage sites and all the email sites," Roberts said. "Basically, I am going to take your cracked password from one system and check it against a hundred others and invariably, I'll get in."
Another error that people are prone to make is using passwords which are linked to things in their life that are socially engineered and can be easily found through conversations at lunch or their Facebook or Instagram accounts, said Rivka Gewirtz Little, director of fraud product marketing at NICE Actimize, a New York-based financial crimes software solutions provider.
"What's worse is that they use passwords that they share with coworkers - a cat's name, birthdate, name of maid of honor or first born child," she said. The workplace is the easiest place to socially engineer someone's password.
Corporate Enforcement Increases
Companies are placing a greater emphasis on getting their employees to change their passwords on a routine basis and many of them force them to alter it every 90 days. The managers of the IT departments also do not allow employees to use similar configurations of passwords since many of them are allowed to access external websites, increasing the probability of hacking, Little said.
"The problem is that employees change their passwords and then write the new password on sticky note sitting right next to their computers," she said. "Human error is the worst threat."
Even if employees deem that their new password is difficult to remember, the hackers can easily outwit you, said Roberts.
"Remember, your adversary is anything but dumb," he said. "There's technology to help you store securely and recall one-time-use passwords and drag yourself into this century and stop using 123456 as your password 'because it's easy.' You make it too easy for me to hack you and as a hacker, you are my prey."
Short corporate passwords should not be used because if it is less than nine characters long, "I'm going to crack it in under five minutes if I get hold of the encrypted hash file from breaking into your computer or your servers," Roberts said.
Employees should not give their password to anyone, especially websites such as eBay, Facebook, Yahoo or even law enforcement such as the FBI, he said. Receiving emails to reset a password or a phone call are all signs of scams, Roberts said. Even the IT help desk should not ask for your password.
Additional Authentication Will Be the Norm
Utilizing only passwords will become a rarity as more companies will move beyond them as the only form of authentication. Many companies have started to implement the use of fingerprint biometrics on laptops or mobile devices for authentication in the form of a one-time-password or more innovative methods by using device location, Little said.
Password managers like LastPass, DashLane and 1Password are good alternatives which will generate different passwords for each registered website the employee uses through a "single, very-secure 'password wallet,'" said Peleg.
"This ensures that even if one website the employee regularly uses is breached - the password will not be compromised," he said.
A set of tools called Cloud Access Security Brokers (CASBs) is gaining in popularity, because they give employees access to cloud-based applications and sites, allowing the company to maintain its other security policies, said Nathan Wenzler, principal security architect at AsTech Consulting, a San Francisco-based independent security consulting company.
"This is a more complex solution, but these kinds of products can better bridge the gap between giving employees the benefit of using internet services and sites from their work computer, while still protecting the organization's assets and policies," he said.
Another option is using the password vault, said James Lanning, manager of North America of the Information Security Forum, a London-based authority on cyber, information security and risk management.
"By combining many passwords into a single secure location that is protected by a single exceptionally strong password, vaults enable users to maintain an indefinite amount of unique account credentials while having to remember only a single password," he said. "Vaults offer a solution to the problem of people using the same password for everything and using weak passwords on top of that."