Top 10 Worst Passwords — (oops, I gave one away!)

Top 10 Worst Passwords — (oops, I gave one away!)

One of the oldest truisms about cyber security is that you should use different and strong passwords for each account you have. And while it’s old news, the threat is still realAccording to a report by LastPass81% of confirmed breaches are due to weak, reused, or stolen passwords. 

Even still, the average person has so many different accounts, it can be tempting to get a little lazy. The Last pass report also shows that the average business user has as many as 91 accounts. And while 90% of users understand the risks, 61% of them continue reuse passwords. 

Top 10 Worst Passwords

Earlier this year, the UK’s National Cyber Security Center and the website Have I Been Pawned released a survey of the passwords most often stolen in data breaches. While the list contains exactly the passwords you’d expect, the number of times these passwords were hacked is pretty staggering: 

(note:  password (# times hacked)

  1. 123456 (23.2m) 
  2. 123456789 (7.7m) 
  3. qwerty (3.8m) 
  4. password (3.6m) 
  5. 111111 (3.1m) 
  6. 12345678 (2.9m) 
  7. Abc123 (2.8m) 
  8. 1234567 (2.5m) 
  9. Password1 (2.4m) 
  10. 12345 (2.3m) 

You might think you’re being sneaky but turns out adding a ‘1’ to the end of ‘password’ won’t save you. Even slightly more complicated passwords still might not be good enough. For instance, according to the survey, the password ‘oreocookie’ was hacked 3,000 times.  

What you Should Do

Whether or not you’ve ever used a password on that list, there are a couple things you should be doing to ensure your passwords are effectively protecting your online accounts.  

Check to see if passwords you’ve used have been compromised. 

 Along with the survey, Have I Been Pwned created a password search function that lets you safely look up passwords you’ve used to see if they’ve been a part of past data breaches.  

Use a password manager 

At this point, there’s really no reason not to use a password manager. Not only are they help make your accounts more secure, they’re incredibly convenient and easy-to-use. You can find plenty of free options that work great for the average user. 

Use randomly generated passwords 

Most password managers and internet browsers now include the ability to automatically generate random passwords. Often, you can set password length and include parameters to use uppercase letters, symbols, and numbers.  

 

Life of the Third-Party

There can be a lot of moving parts when it comes to implementing a cybersecurity policy. And the truth is, you can have air-tight security procedures for your internal systems and still be vulnerable to attack through any third-party companies you use. We’d like to think the bad guys are faceless, nameless people in the digital ether. In fact, they are often individuals we know, who are either careless or intentional in their abuse of our systems. According to the 2019 Verizon Data Breach Investigations Report (DBIR), privilege misuse (of which this type is) accounts for 48% of incidents reported and 15% of all breaches. 

This is why certain laws are beginning to include regulations involving the use of third-parties as a part of your overall cybersecurity protections. New York State Department of Financial Services’ (NYSDFS) Cyber Security Regulation is one such law. While the regulation itself went into effect in 2017, requirements regarding third-parties were rolled out this past March.  

Conduct a Third-Party Audit

As a part of the NYSDFS’ Cyber Security Regulation, financial institutions will need to complete an audit of all third-parties and their cybersecurity policies. Here is a quick primer on what you should include in these audits: 

Identification and Risk Assessment 

Per NYSDFS regulations you’ll need to identify all third-party providers you use and conduct a thorough risk assessment for each one. Your risk assessment should focus on pinpointing vulnerabilities presented by the third-party based on the sensitivity of data provided and the third-party’s current security controls. Classify each provider based on the risks they present. Be serious about your third-party review process up to and including review of HR policies. For highly sensitive information, you might even consider running background checks on contracted parties yourself. 

Put it On Paper

Make sure that the third party understands your security requirements and that they are built into any agreement that you have with them.  A critical part of these policies is the inclusion of access restrictions. Every user should be given the least amount of privileges necessary to complete their work, and those with high risk should be given more restrictive access. Implementing Data Loss Prevention tools can also help monitor and restrict the ability to share information. Make sure that all third parties with access to your data utilize encryption for data at rest and in transit. Make sure there is a cyber awareness program in place and a solid incidence response plan.

And certainly, you will want to be notified and indemnified in the event of a breach on their end that impacts you.

Trust but Verify

For third parties with access to your data, it will be necessary to an audit of their security practices.  There are third party certification bodies — SOC 2, ISO/IEC 27000 and HiTrust Certifications, for example — which can demonstrate that the third parties have satisfied the requirements of an external body.  There are also organizations such as BitSight, SecurityScorecard and Upguard which can provide you with a report on your third parties based on external scans and other information.

In some cases, you will want to see for yourself and conduct an on-sight review to make sure that your critical third parties have the security posture you need.  And, it also creates an opportunity to share and learn on both sides.  These discussions can make everyone stronger.

Rinse and Repeat 

As with all aspects of cybersecurity, you need to periodically re-assess your third-party provider’s security processes and adjust your own policies and procedures based on any new risks.

The Weakest Link…

doesn’t have to be your business partners.  Appropriate dialogue and diligence can strengthen relationships and security postures.