Meet the Greenhorns, they’re a typical family who lives in a densely populated urban neighbourhood. They view themselves as honest citizens with nothing to hide. While travelling a few years back, they lost their set of keys. After that fiasco, they’ve had a locksmith help them duplicate the key for the sake of convenience and put the same locks on their cars, house, garage, office, gym locker, and safety deposit box, and pretty much anything that needed a key. They said they prefer to keep things simple and that using the same key for everything has saved them so much time than fumbling for the right key!
This fable might sound ridiculous and far-fetched, but unfortunately, it’s half true. This fictitious behaviour describes how many people manage their personal and professional online accounts. A team of researchers at Virginia Tech released a scientific report in 2018 in the journal of Access Control and Authentication, analyzing 28.8 million users, 107 online services and found the following:
1. Password reuse and modification are still very common: 52% of users
2. Sensitive online services have a high ratio of reused and modified passwords:
- “Shopping” services have the highest ratio (>85%)
- “Email” services are at the second place (>62%)
3. Users still reuse the already-leaked passwords for years after the data breach:
- 70% of the users are still reusing the already-leaked passwords in other services 1 year after the leakage.
- 40% of the users are reusing the same passwords leaked more than 3 years ago.
4. Modified passwords are highly predictable.
- The team built a password guessing machine, and once they knew the previous password, their algorithm was able to guess the modified password within 10 guesses.
These stats show how the risky Greenhorn behaviour is common to one in every two people! Even when people slightly modify passwords for different accounts, the Virginia Tech researchers have shown that it’s fairly easy to crack (guess) a slightly modified password.
We Take Cybersecurity Seriously
October is cybersecurity awareness month, and FlexPay takes cybersecurity very seriously because we care about ours and our clients’ security. Here are some password best practices that FlexPay follows to protect ourselves online.
- We encourage our employees to use a unique password for each account, whether it is personal or professional. This prevents credential stuffing attacks where criminals or malicious individuals can try to access each of your accounts by using your username/email and password or using a password guessing machine to figure out the modified password.
- We recommend our employees to use long, random passwords or passphrases. A good rule of thumb is 12-20 characters! According to a Scientific American article on “The Mathematics of (Hacking) Passwords,” a 12-character password with uppercase and lowercase letters, the 10 digits and 10 symbols take 62 trillion times longer to crack than a 6-character lowercase alphabet-only password.
- We use password managers to generate, store and manage our unique passwords securely. Because who can remember 50 unique and secure passwords anyway? A password manager helps you generate unique passwords that you can customize in length and complexity with one click and save them securely.
- We enable multi-factor authentication on accounts that offer the service. This means that besides entering a password/passphrase, an additional confirmation must be provided by either a physical security key, a fingerprint, a cellphone notification, or a code received by email, etc. to complete the login.
- And finally, we prohibit writing passwords down or having them saved in a document like Word or Google docs. According to Yubico’s 2020 report, 42% of companies use sticky notes to manage their passwords—we are not one of them.
Learn More About Cybersecurity
To learn more about cybersecurity and how to protect your organization and employees, here’s a list of informative resources to help you stay safe online.
BeyondTrust privileged access management solutions: https://www.beyondtrust.com/blog/entry/top-15-password-management-best-practices
Canadian Center for Cyber Security: https://cyber.gc.ca/en/events/cyber-security-awareness-month-0
Department of Homeland Security: Cybersecurity & Infrastructure Security Agency: https://www.cisa.gov/national-cyber-security-awareness-month
Yubico State of Password and Authentication Security Behaviors Report: https://pages.yubico.com/2020-password-and-authentication-report
Chun Wang, Steve T.K. Jan, Hang Hu, Douglas Bossart, and Gang Wang. 2018. The Next Domino to Fall: Empirical Analysis of User Passwords across Online Services. In Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy (CODASPY ’18). Association for Computing Machinery, New York, NY, USA, 196–203. DOI:https://doi.org/10.1145/3176258.3176332