Sarah, a seasoned CFO at a midsized wealth management firm, made a critical mistake that nearly sank her company. Overwhelmed by her busy schedule, she used “TechCFO2024” as the password for both her corporate email and the firm’s financial management system, reusing it across multiple platforms for convenience.
She assumed the company’s firewalls were enough protection. Then, one night, cybercriminals exploited a phishing email she inadvertently clicked, capturing her weak, reused password.
Within hours, attackers accessed the firm’s financial accounts, siphoning $1.2 million and leaking sensitive client data. The breach triggered a week-long system shutdown, costing $300,000 in lost productivity and millions in potential lawsuits. Sarah’s oversight not only jeopardized her reputation but also put the company’s survival at risk, serving as a stark reminder of the stakes in password security.
Sarah’s story is not real. It’s one I’ve invented to illustrate the point that password vulnerabilities are a top cause of data breaches, with devastating impacts. Cybercriminals capitalize on weak passwords to steal identities, drain accounts and breach corporate systems.
How bad is it? A new study conducted by the Cybernews research team found there was a mind-boggling 19 billion stolen passwords available on the dark web for any hacker to use. Ninety-four percent of the passwords were being reused across accounts and services and 42% were way too short—eight to 10 characters in length.
Getting employees to become password security conscious is a tough job. One survey foundthat 57% of employees use sticky notes and 49% put their passwords in documents. Sixty-two percent share them with others in emails or even texts.
To protect yourself and your organization, adopt these evidence-based password practices designed to outsmart cybercriminals:
1. Use long, unique passphrases.
A strong password is long and unpredictable. Scientific American notes that a 12-character password is 62 trillion times harder to crack than a six-character one, with 16-character passphrases derived from a 200-character set being the gold standard. Instead of complex strings like “P@ssw0rd123,” opt for passphrases like “BlueSkyCoffeeRain&!42” that combine random words, upper and lowercase letters, numbers and symbols.
According to Verizon, for basic web application attacks (BWAA), over 80% of breaches can be attributed to stolen information.
As noted from a Bitwarden survey, “79% of Gen Z believe reusing the same password across multiple accounts is risky; however, 72% still admit to doing so.” A staggering 59% “reuse an existing password even when updating an account with a company that has recently had a data breach.” Bottom line: Never reuse passwords across accounts.
2. Leverage password managers.
Remembering dozens of unique, complex passphrases is daunting, which is why password managers are a game changer. These tools generate, store and autofill strong passwords, requiring you to remember only one master passphrase. Don’t use browser password managers. They are not as secure as tools like LastPass, which encrypt your credentials, reducing the risk of phishing by recognizing fake websites. A master passphrase should be at least 16 characters, unique and paired with multifactor authentication (MFA).
3. Enable multifactor authentication (MFA).
MFA adds a second verification step, such as a code sent to your phone or a biometric scan, making it exponentially harder for attackers to gain access. According to Bitwarden, 23% of U.S. users still don’t use MFA at work, leaving gaps for exploitation. Even IT decision makers are inclined to be slack. Despite the increase in password manager use and MFA, 53% of themshare passwords with colleagues via email.
4. Avoid personal information and common words.
Cybercriminals exploit predictable patterns. Keeper Security found that 31% of people use names or birthdays of their children, 34% use their spouse’s, and 37% incorporate the name of their employer in passwords. These are easily guessable, especially with social media reconnaissance.
Almost unbelievably, the most popular passwords, according to Nordpass, are numerical sequences like 123456, the word “password” (yes, really) and “qwerty” (derived from a keyboard’s layout). Instead, use random combinations or phonetic substitutions (e.g., “enjin” for “engine”).
A stark example of such password failure happened at software company SolarWinds when an intern reportedly used the password “solarwinds123” for a critical file server. This easily guessed password enabled hackers to infiltrate SolarWinds’ systems, compromising software updates that affected thousands of organizations, including government agencies and Fortune 1000 companies, and cost millions in damages.
5. Limit password attempts and monitor breaches.
Organizations should enforce account lockouts after a reasonable number of failed login attempts—10 attempts before locking out. This deters brute-force attacks.
According to a new large-scale study from Kaspersky, which checked 193 million passwords on the dark web, 45% of all passwords can be figured out by scammers within a single minute.
6. Educate and enforce policies.
For businesses, and especially those that handle huge financial transactions, like wealth management advisory firms, a robust password policy is nonnegotiable. Train employees on phishing and social engineering risks, which account for many credential thefts.
Conclusion
Weak, reused passwords remain a primary gateway for cybercriminals, with billions of stolen credentials circulating on the dark web. By adopting robust practices—using long, unique passphrases, leveraging password managers, enabling multifactor authentication, avoiding predictable patterns, limiting login attempts and enforcing comprehensive policies—you can significantly fortify your defenses.
Cybersecurity is not just an IT issue; it’s a shared responsibility. Implementing these evidence-based strategies empowers you to stay one step ahead of cybercriminals, safeguarding your data, finances and reputation.
(Originally posted for Forbes Business Council)
