Continuing a running series for National Cyber Security Awareness Month, Rapid7 has released another easily emailed awareness note. This time the topic is passwords, something that can either make or break a person's overall level of security.
Passwords are often seen as a lackluster method of protection, and in many cases this is true if passwords are the only line of defense. This is why two-factor authentication is such a big deal in the security world.
However, love them or hate them, passwords are the initial line of defense in our daily lives. But that crossover leaves people stuck attempting to remember several passwords and manage them properly, something that usually means that they'll create an easily remembered and crackable password once and use it everywhere.
"While security professionals can enforce policy on a password's length, expiration and use of character types, only educated users can create truly strong passwords that they will remember and avoid using elsewhere."
With that said, what follows is an easily copied primer on passwords, which can be emailed to your entire organization.
Why are passwords important?
Having a password is the most basic level of protection you can have for the information you are storing in services or applications, be it your personal Facebook account, your online banking site, or your company's customer tracking system. The problem is that everything is online now, and everything needs a password. So it's tempting to make your password simple and easy to remember. Perhaps you have a go-to password you've used for everything since college. Or maybe you write your password down so you don't forget it.
If you do any of those things, you're probably in the majority, not the minority. Creating long, complex passwords that are unique for every service you use is a challenge, and remembering them all is near impossible. The problem is that simple, easy to remember passwords are also easy to "crack." That's probably why a major study found that 76% of network intrusions (aka breaches) in 2012 involved weak or stolen passwords.
Once attackers have your password, they have access to your account and any information stored in it. From there, they may be able to do all sorts of things, and what was intended as a form of protection could become a threat in itself. For example, if you use the same password across multiple sites, once an attacker has compromised your information on an unimportant one, they can turn around and use it on a site you do care about.
Or say you use different passwords, but the same security questions. They could find the information for your security questions and then set up a fake "change password" request using your information and actually lock you out of an important account.
Sign up for MIS Asia eNewsletters.