Password: the armoured data protection door

Security Awareness
26 April 2023
Password: la porta blindata a protezione dei dati

Let’s learn to keep it robust

Technology, in addition to making the world less mysterious and smaller, has undoubtedly made our lives easier and less tiring. But, as wise people say, nothing is free and, by a strange law of compensation, where there is an advantage, there is always a loss, or in any case, a risk.

So, if it is true that a click is now enough to perform practically any action or to access a lot of knowledge, it is also true that every click we make leaves a trace that can allow someone else to identify us, track us, find out many things about us and, above all, infiltrate our lives. In short, in the age of the internet, living incognito has become a luxury that few can afford.

The digitised data in our devices, whether personal or corporate, represents a digital extension of our person or of the company for which we work and becomes our digital fingerprint. It’s a real identity that must be safeguarded and protected to prevent someone from stealing it and using it to carry out actions that we never wanted to do. Among these, there is certainly the action of moving through corporate networks without being discovered. This activity is very widely practiced by hackers who manage to play the role of an employee after gaining access to their credentials. For this reason, identity security has become one of the priorities of CISOs.

But identity theft can have many other serious consequences, including: the creation of fake profiles, privacy violations, and the manipulation and alteration of data. For companies, in addition to those mentioned, we can add data theft for ransom, or for profit, or aimed at unfair competition. In short, phishing attacks aim at the theft or exploitation of digital identities and can result in serious losses for users, suppliers and even prevent customers from using online services. And all this is always due to human error, distraction, or an underestimation of risks.

From the latest 2022 edition of the Data Breach Investigations Report (the fifteenth) it emerged, in fact, that the majority of data breaches occurred due to natural persons who inadvertently and recklessly “collaborated” with the attack. They practically left the front door open.

In fact, among the human errors that enable hackers to steal or damage identities, there is certainly that of not taking enough care of passwords and login credentials and using them in the wrong way.

True, we are all overloaded with passwords and credentials: according to the data, the average person has about 70. Remembering them all is a big problem.

For this reason, we often give in to laziness and thus always use the same ones or choose simple ones in order to remember them more easily. It’s a very common mistake, but one that should never be made.

Some puzzling statistics show how much the password security situation has worsened in recent years:

  • Cybercriminals exploited 1.7 billion login credentials (including passwords) in 2021 (Spycloud Survey).
  • The most commonly-used unencrypted password is “password” (Spycloud survey).
  • 45% of users do not change passwords after a breach (LastPass Study).
  • 60% of users reuse passwords (Spycloud Survey).
  • 84% use the same password for multiple accounts (Bitwarden Survey).
  • Human error, which includes sharing passwords and using weak passwords, is behind 95% of cyberattacks, according to the “IBM Threat Intelligence” survey.

These data make clear how important it is to fight cybercrime and protect our data, keep strong and secure passwords, which is equivalent to equipping yourself with a robust security door to protect your home, making sure to always close it properly.

Below, we list some of the most common errors in the use of passwords and relevant tips for dealing with them

Do not share passwords
A survey conducted by Yubico and Ponemon found that 49% of cybersecurity officers and 51% of employees share passwords with colleagues to access company accounts. It’s always a good idea not to do this.

Don’t use the same password for multiple accounts.
60% of employees admit to reusing passwords for multiple accounts. You can overcome the difficulty of remembering them all through a password manager.

Don’t leave the password written down on the desk
Often, for convenience, the password is written on a piece of paper and left in plain sight, which encourages any passing person to copy it. In addition, if the employee uses the same password for many accounts, they are exposed to multiple violations.

Do not ever give passwords to anyone else, even if you are asked for them
Scammers often trick employees, through social engineering, into providing personal information, including passwords. Be careful not to fall into the trap.

Make passwords hard to guess
The most popular password is 123456. It’s a choice that makes the cybercriminal’s job easy. It is advisable in a company to encourage the use of more complex passwords.

Change passwords when in doubt
Security policies should ensure that employees change passwords if they believe they have been victims of phishing.

Make password recovery questions more difficult
Password recovery is often a goal of cybercriminals; the methods used to recover passwords require users to enter details such as the mother’s maiden name, information that can easily be found by scammers. It is therefore necessary to have a robust password recovery system.

Do not lose passwords due to unsecured connections
A password could be stolen if a person uses an unsecured Internet connection, as public ones often are. In these cases, it is better to use a website that offers greater security guarantees, such as HTTPS or a VPN.

Do not use common words in a password
The use of common words in creating a password is exploited by hackers, who use malicious programmes to try to break into an account using passwords and common words.

These suggestions listed, although they seem to be easily understandable, are actually very complex and need specific training and preparation to be assimilated and metabolised. Especially in a company or an organisation, where the stakes are very high, as is the possibility of making mistakes, you can no longer ignore specific training on these aspects. Starting from the established fact that at the origin of the attack, there is always human error, it is mainly in this regard that it is necessary to intervene in a preventive manner. The real protection barrier is, in fact, represented by sufficiently trained and continuously updated employees. An armoured door to protect the company that will give hackers a run for their money.


Articoli correlati

Digital Operational Resilience Act (DORA)

Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025. It aims at strengthening the IT security of financial entities such as banks, insurance companies and investment firms and...

read more