Today’s article is brought to you by guest blogger, Scott Templin, Cyber Risk Advisor with Lachesis, LLC.
Gizmodo reported this week that SolarWinds is blaming an intern for the password of ‘solarwinds123’ that was being used on a server. There is not a connection at this point that the weak password was leveraged as a vulnerability during the recent hack, but it still brings password security to front of mind.
Let’s start with an example cyber profile of a made-up individual. We’ll assume this individual uses common social media platforms, such as Facebook, and has multiple accounts with various online websites.
You do not have to be a super hacker to learn a lot of information about our friend here. Say that through Facebook we were able to learn the following things:
Do you think if you had a full year and unlimited attempts at guessing John Doe’s password for his bank do you think you could do it? How should we start?
Well, I’m going to start by telling you that people are more likely to use their pet’s name than their kids’ name in their password.
Using significant dates and locations are also top of the list.
The most common password length is 8 characters and most places now require a combination of capital letters, numbers, and symbols. If there is no max number of login attempts, we could start plugging in variations of Rover along with 85 or 15. But what if John uses Hornets or the nickname Johnny? A normal person will likely never randomly guess this without a lot of time or luck. Unfortunately, the odds are it is a not a person who is making the attempts.
John unfortunately is not going against a normal person with a keyboard, but rather a computer that can brute force check tens of thousands to millions of passwords a second. Per NordPass a 9 character password (1 longer character than the average) could be broken in under 2 hours!
To make matters worse if John’s information was released in one of the several attacks on large companies such as Target or Equifax then there may even be a baseline for a password ‘format’ that John uses. If he used Rover!85 as a password for his Target account, then savvy hackers could utilize this information to narrow down their own hacking attempts. If John used a similar password for his work login, say Rover!15, then we could be looking at huge vulnerability.
Fortunately, there are some easy steps both an individual and businesses can use to keep those passwords strong:
By going up to even 12 characters that 2-hour crack could now take 300 years. How do you remember such a long password? Using multiple unrelated words with special characters and numbers will keep you more protected and may even be easier to remember. Audij#412 sounds like an insane password to try to remember, but it is not even as strong as something like oRangew@ffleba$eball that is significantly easier to remember.
By keeping your passwords different across multiple accounts, you ensure that a crack in one system will not immediately open up additional vulnerabilities in other accounts.
With today’s world it is way too easy to learn about your dog’s name or other easy connections that people all too often use to help remember their passwords. This also applies to relevant dates such as anniversaries or birthdays.
Cyber security just like physical security should be reviewed with your employees periodically. Put in specific requirements for employees on how to handle their work passwords and review these requirements periodically especially during a major technology changes such as new operating systems.
Password security is just one step in the constantly evolving process of evaluating your business’ cyber risk profile. Please reach out for a deeper dive into how Lachesis can provide insight to vulnerabilities that threaten your business every day.
Founded in 2016, Lachesis brings affordable, yet sophisticated solutions to middle market clients in the Midwest. Their decades of experience working with fortune 50 enterprises, combined with their unique skill sets, enable their team to deliver results that future proof companies and enable them to withstand the test of time. To learn more about Lachesis, visit lachesisllc.com.
A graduate of Butler University in 2010, Scott moved to Northwest Indiana when his wife had the opportunity to return to the family farm in Westville. Scott specializes in assisting businesses to better understand and address their cyber risk profile. In his free time Scott loves sports, cats, board games, and exploring the world with his wife.