Protecting business accounts with strong passwords is an important part of any company’s security strategy. However, if you simply tell your team to avoid using weak passwords like "123456" or "qwerty" because weak credentials can lead to data breaches, they will probably say "Okay" and then forget what you told them the next time they create a new password.One way to bring home the point that using weak passwords is dangerous is to use an interactive approach when discussing the topic with your team. Toward that end, you can use an online tool like Pwned Passwords, which lets you check a password to see if it has been compromised. Its database contains more than 320 million unique passwords that have exposed through real-life data breaches. Another tool that you can use is Kaspersky Lab’s password checker. Rather than rating a password’s strength, it takes a more fun approach by noting how long it would take a hacker to crack the password using a brute-force password-cracking tool.
Before discussing passwords with your team, you need to make some preparations. For starters, compile a list of commonly used weak passwords. If you need inspiration, check out SplashData’s top 25 "Worst Passwords of 2016". You also need to create a list of strong passwords.In your lists, do not include any passwords currently being used in your business. You should never provide an unknown third party with a password you currently use or plan to use.Finally, create guidelines that your team can follow when generating passwords. For instance, you might use the following:
During the discussion, you can use the Pwned Passwords tool to demonstrate how often weak passwords show up in the exposed password database compared to strong passwords. You can also use Kaspersky Lab’s password checker to compare how long it would take for a hacker to crack a weak password compared to a strong one.After you go through your lists, have the team come up with both weak and strong passwords to try in both tools. Be sure to let them know that they should not use any of their current passwords during this exercise.While the team is using the tools, it is important to bring up several points:
When you are visiting the Pwned Passwords page, you might notice that it gives you the option of downloading the files that contain the breached passwords in case you want to check current and potential passwords offline on your computer. Although the passwords are in text files, the files are too large to be opened in a text editor (e.g., Notepad) or a spreadsheet program (e.g., Microsoft Excel). It requires a more powerful application like Microsoft SQL Server. Plus, each password is represented as a SHA-1 hash to protect the original value. (Some people use personal information such as names or email addresses as passwords.) As a result, you need to convert your password into a SHA-1 hash in order to search for it in the list of breached credentials. So, downloading the text files is only useful if you have a program like SQL Server that includes a function to convert strings of text into SHA-1 hashes.
About CHIPS Computer Services
CHIPS Computer Services is an award winning Managed Services Provider specializing in help businesses increase efficiencies and profits by levering properly managed technology. To learn how CHIPS can help your business, email us at firstname.lastname@example.org to schedule no cost business technology assessment.