More and more companies are feeling the impact of password theft. Non-secure passwords and an inadequate IT security environment present hackers with the ideal conditions for gaining access to passwords with “Password Stealing Ware” (PSW). This can have devastating consequences for companies. In this blog article, you can find out how to protect yourself.
Password Stealing Ware – the hacker’s tool
Password Stealing Ware (PSW) is extremely popular with cyber criminals. The purpose of this malicious software is to steal the passwords for important accounts. The malware uses a variety of methods to directly capture access data from the browser as soon as users enter it anywhere. Cyber criminals can intercept everything from logins for web-based business tools to access online banking and credit card information. Once they have stolen access data and passwords, anything is possible, from payment instructions to foreign accounts, from online shop orders to identity theft.
Some Password Stealing ware can also access cookie data or locally stored desktop files. Weak passwords and an inadequate IT security environment also allow malware to take hold. This makes Password Stealing a very lucrative business and an important source of income for cyber criminals. On this website you can check whether your passwords have been leaked before.
Password Stealing can cause enormous damage to a business. This means that strong passwords and authentication protection has become even more important.
Password protection is the top priority
90% of passwords can be cracked in under six hours, and two-thirds of users use the same password for different (web) services. A password check is worthwhile (but you should never use your actual passwords). Unique, strong passwords ensure a particularly high level of protection, but they are not always easy to create.
What criteria should a password follow?
To create a password that is as secure as possible, the following criteria should be considered:
- A minimum of 12 characters
- Different passwords for each (online) account
- Upper and lower case letters including numbers and special characters
- No personal or easily traceable information such as hobbies, first names, last names, years of birth or birthdays
- Avoid logical word combinations and character sets, as they are easy to guess
- and don’t forget – never give your passwords to anyone!
Based on the criteria above, which of the following passwords would you categorise as secure? 12345, Hans1960, MydLhhboM11!! or #+&()=?@
In our view, the password MydLhhboM11!! (My youngest daughter Lisa has her birthday on 11 March!!) is the best one. It is easy to remember, yet it is complex. Using this modular principle, just pick a set that you can easily remember, and use it to create a secure password.
12345 is made up of just five characters but it was the most used password of 2019. The password #+&()=?@ is just made up of special characters and this makes it difficult to guess, but it also has only 8 characters and is difficult to remember unless you have a password manager. Hans1960 speaks for itself…
Password managers create systems where there is chaos
In parallel to unique, strong passwords, password management is also extremely important. The deluge of passwords and access data that the average user has to remember is constantly on the increase. “Best practice” methods have differing password criteria, and this inevitably leads to password chaos. This means that it is only natural for people to resort to conventional, non-secure methods, such as identical passwords, noting the access data in writing, or saving passwords automatically in the browser. Besides, passwords need to be regularly changed, which adds to the complexity of personal password management. Therefore it is advisable to use a password manager such as KeePass or SecureSafe.
Two-factor authentication for even stronger protection
Password manager already improves password management, but two-factor authentication (2FA) provides much better security than just requesting a username and password. If the services you are using can provide the 2FA option, make sure you use it. Moreover, identity verification requirements have undergone major changes. Many regulators and laws are already requiring strong authentication. For users to prove their identity, two or more separate steps are required. For 2FA, authentication must be made up of at least two of the following factors:
- Know: PIN, password, user name, answers to security questions
- Possess: SecurID token, mTAN code, badge, smartphone, credit card
- Biometrics: Fingerprint, iris pattern, retinal pattern, vein pattern, voice
Two-factor authentication offers greater security, but should also be user-friendly, cost-effective and meet the latest requirements. We showed you how to achieve this in an earlier blog article.
What is the password security situation inside your company?
Do you want to know how well your employees manage confidential passwords? InfoGuard can assist with that. InfoGuard can assess your employees' security awareness through a targeted review, as a one-off audit or in the form of an ongoing service. This enables a simulation of phishing and malware attacks that are tested and analysed in detail.
Please contact us now. Our cyber security experts will be pleased to provide you with an individual proposal.