No matter how often we’re urged to use strong and complex passwords to protect our accounts, many people still fail to get the message. And that’s not just the case not just with regular website users and employees. Tuesday, NordPass released a report showing how executives and business owners try to secure their accounts with some of the most unsecure passwords imaginable.

Nord worked with several independant researchers compiling a list of passwords ompromised in more than 290 million data breaches across the world. The passwords were categorized based on job title and industry as the study focused on those found among CEOs, C-suite executives, business owners and managers.

The ever popular and ever vulnerable “123456” took top honors as the most common password in the list, found more than 1 million times. The password “password” came in second place among the four different types of roles, discovered more than 700,000 times. From there, the list diverged based on job title.

What’s the 3rd most popular password among CEO’s and Big-Wigs? I’m sure you guessed it…. “12345”. (but without the quotes, though that might make it a bit harder to guess). 

C’mon people How can you be this lazy! Nobody can be this un-creative! If your using any of the three aforementioned passwords, then YOU DESERVE TO BE HACKED. There is no excuse for you. The 63,779 people who used those passwords should NOT be allowed to chose their own passwords. EVER. AGAIN. And as for you, if your one of the 10,998 people to use “123456789” as a password…… YOUR FIRED. 

Yes, people really ARE this stupid. But here’s the catch…. this study was mainly focusing on people who are CEO’s, Presidents of companies, and Owner/Operators of companies. These guys are the ones who take the fall when $h1t hits the fan. They are the ones held responsible.  And THEY are the reason why companies have instituted the 90 day password policies. If your password is dumb, it can only stay dumb for 3 months before the system makes you change it. Unfortunately, most simply just add a number, or change a letter. How can you be any type of responsible, when your password is 12345. You should be FIRED. 

If corporate conglomerates deal with this, imagine small businesses who have no IT department to restrict access, and encourage people to use stronger passwords. It's only a matter of time for them.
Icon
Michael Dewitt
Owner/IT Admin

How can you prevent data breaches in your small business?

Ok, great. Thank you for bearing with me while I rant a little. I tell people all the time to use stronger passwords. Their response? They just stare at me, like I asked them to kill their pet or something. But your not one of these people, right? The fact your reading this shows you have concern about your precious data. This is good. This is really good. Keep reading to learn how you can harden your defences, prevent data theft, and at the end of the day, sit down with peace of mind knowing some guy from China isn’t stealing your data and selling it on the dark web. 

Click to expand each tip for detailed information regarding each best practice:

You probably wouldn’t give your ATM card and PIN to a stranger and then walk away. So, why would you give away your username and password? Your login credentials protect information as valuable as the money in your bank account. Nobody needs to know them but you—not even the IT department. If someone is asking for your password, it’s a scam.

This is important and I can’t stress this enough. If you take away only one thing from my article, let it be this – for each account/login you have, use a different password. Why do I say this? For me, I have a spreadsheet I keep of all my accounts I create/use online. What would happen if one of those services I use gets hacked, and had their entire database of users downloaded? First, the hacker would go on the dark web and see what’s up for sale. They would compare what’s already for sale on the dark web, and price his data dump he stole accordingly. The database dump hackers steal ALMOST ALWAYS contains the EMAIL address of the users. Every one of them. And MOST of the time the passwords are downloaded too. Sometimes the passwords are encrypted, and some are in plain text. Even those encrypted aren’t really that secure, since there is software available to de-hash those encrypted passwords. Well, now there are multiple hackers on the dark web who have bought this data dump (because the original thief can continue to sell the data to anyone who wants to buy it). And they take that data, compare it with another database dump from a separate service someone stole, and now they see the same email in both dumps. But guess what, the second dump they get had all the account passwords in plain text form, no need to decrypt anything! So, the hackers put this known password, and this known email address together, and with a bit of social engineering, start prodding those credentials into many other services, specifically bank logins or and online stores such as amazon and Walmart, and any other service they think you might have an account with. See why it’s so important to use different passwords and even emails? in 2020, there were more than 250,000 different database dumps for sale on the darknet. Imagine what it is now in 2022!

Even the best passwords have limits. Multi-Factor Authentication adds another layer of protection in addition to your username and password. Generally, the additional factor is a token or a mobile phone app that you would use to confirm that you really are trying to log in. Learn more about MFA and how to turn it on for many popular websites at Two Factor Auth | BrainStation®

The longer a password is, the better. Use at least 16 characters whenever possible.

  • To make passwords easier to remember, use sentences or phrases. For example, “breadandbutteryum”. Some systems will even let you use spaces: “bread and butter yum”. 
  • Avoid single words, or a word preceded or followed by a single number (e.g. Password1). Hackers will use dictionaries of words and commonly used passwords to guess your password. 
  • Don’t use information in your password that others might know about you or that’s in your social media (e.g. birthdays, children’s or pet’s names, car model, etc.). If your friends can find it, so will hackers.

Password management tools, or password vaults, are a great way to organize your passwords. They store your passwords securely, and many provide a way to back-up your passwords and synchronize them across multiple systems. Though the University does not recommend any one solution, here are some examples of free password managers*:

When you sign up for something these days, many browsers, including the new Microsoft Edge and Firefox, will have a box pop up with a suggested complex password. Use it! The browser will remember the ridiculous password, so you don’t have to. Just make sure your account with that browser has it’s own password and email associated with it, since your web browser will be storing saved passwords, no doubt across devices.

Wait! You mentioned having multiple emails to use, how can I possibly do that?

Most, if not all email providers, allow you to create something called ‘aliases’. This is where you create another email account, that in essence is tied to the main account. For instance, say you have an email called emailexample@gmail.com. You go into settings, and create an alias called exampleemailno2@gmail.com. Any mail sent to the second one will go to the inbox of the first. As long as someone doesn’t have the email address your trying to use as an alias, it will be yours. With Microsoft, you can even use your aliases to log into your account instead of using the main email. This is only helpful if you create unique passwords for each of your online accounts otherwise you’ll still run into the same problem spoke about in tip #2 above. 

Alternatively, you can use a temp email address if your forced to sign up for a service your just maybe checking out, or will be for a one time thing. Some good services out there are: 

Bitwarden now lets you generate fake alias email addresses in addition to passwords

Bitwarden is another excellent password manager that’s open source and has a long history of support with the community. Now, Bitwarden brings integration with five popular email forwarding services: SimpleLoginAnonAddyFirefox RelayFastmail and DuckDuckGo. These services focus on bringing privacy, and with it, security, to users’ online accounts. The combination of using email aliases alongside a password manager adds multiple layers of protection online. With these new Bitwarden integrations, users now have a convenient way to generate both anonymous email addresses and secure passwords for ultimate security.

Setting up individual email aliases is usually a multi-step process that involves visiting the forwarding service in question, creating a new email alias, copying and pasting it to the website you want to sign up for and your password manager. Bitwarden’s latest update makes this much simpler, though, thanks to its integration with the three aforementioned forwarding services. When creating a new login item in the manager, you can now also generate an email alias from the forwarding service of your choice without having to visit its website.

Source: Bitwarden

There’s a bit of a setup process involved to get started with email forwarding in Bitwarden, but the password manager has extensive documentation for all three of its providers. Plus, if your a ‘Self-Hoster’ like myself, the Bitwarden server can be setup via Docker in no time!

In conclusion, if your not using a password manager in 2023, FIND ONE!!! There are so many options available and it’s only benefiting yourself and your data! The top 2 options that I recommend for anyone person, or business, are KeepassXC and Bitwarden.

Related posts