Strong password security is vital for any business looking to meet its cybersecurity responsibilities. However, through our analysis of penetration testing data and password patterns, it is apparent that employees continue to use weak passwords, making companies vulnerable to cyber-attacks.

When our penetration testers can easily guess employee passwords, cybercriminals with malicious intent can too. When password security is weak, attackers can access your system for financial gain or to damage your company’s brand reputation.

With almost nine out of ten UK companies suffering a security breach each year, and with 65k attempts per day, strengthening password security is an essential step for businesses to take.

How cybercriminals gain access to your business’s servers and workstations

Cybercriminals use brute force techniques or password pattern analysis tools to predict user credentials and passwords. Once a password is cracked, they explore if they can use the acquired credentials to access other servers and workstations.

Next, malicious attackers leverage tools to discover if an administrator-level password is stored on any accessed computers’ memory. They then elevate privileges to access customer data, company financial data, and payroll data.

This demonstrates that one weak password can impact the security of the entire organisation’s network.

Common password errors

The general advice is for passwords to include lowercase letters, uppercase letters, special characters, and numbers. However, this can lead to problems as staff take the easiest option. This includes capitalising the first word and adding a number or symbol to the end. When this occurs, cybercriminals are given a head start.

The most common password errors include using a variation of the company name, reusing passwords multiple times, and choosing names or dictionary recognised words. According to the National Cyber Security Centre’s (NCSC) UK Cyber Survey, 23.2 million accounts that were victimised used 123456 as their password. 123456789, qwerty, and 1111111 were the next most common passwords and should be avoided.

Password managers

According to LastPass, a popular password manager, the average worker must remember 191 passwords for work. Manually creating and remembering all of these passwords is impossible, but workers need only to remember one master password by utilising a password manager. The password manager auto-generates highly-secure passwords, and with cloud-based solutions, users can use their password vault on any device and operating system.

Modern password tips and your security policy

Your business should promote security awareness as part of its security policy. It is vital to define what makes a password hard or impossible to crack and encourage the use of password managers.

The password tips you should convey to your team include:

  • Do not use the company name in the password
  • Do not use the year to fulfil numerical requirements
  • Do not end passwords with a full stop or exclamation mark
  • Do not use the season as a password
  • Do use a password manager
  • Do enable two-factor or multi-factor authentication
  • Where possible, use biometric security systems

Password security is an integral part of cybersecurity and penetration testing. Learn more about our penetration testing services, and how to protect your digital tools and web applications.