CyberSecurity 101: Password Protection

The password management company, SplashData, annually reports on the 25 most commonly used bad passwords. It should be no surprise that the old favorite “123456” maintained the top spot as the worst password. Once again, “password” came in second. This year’s big mover was “12345”, it rocketed up 17 places to displace “12345678” as the 3rd worst password. Along with “12345678”, “qwerty” rounded out the top 5 most common weak passwords.

The good news is that the top 25 worst passwords only accounted for 2.2% of the 3.3 million passwords reviewed. The bad news is that we all have to remember more passwords with each passing year. So the real threat for most people is the reuse of passwords. A 2012 password study showed that the average person has to remember 8 passwords at work, 17 passwords at home but only uses 5 of those passwords on a regular basis. Remembering all those passwords is a pain, having to reset them is an even bigger pain so it is human nature to minimize the headaches and recycle the same easy to remember password over and over.

Recycling of passwords is like the iceberg of cybersecurity due to the “Zombie account” passwords that all online shoppers set up. The actual number of sites that most people use the same old password far exceeds those they use regularly (who has checked their MySpace account recently?). It’s hard to fully appreciate the threat lurking below the surface from all the mom & pop websites have had their data compromised and don’t even know that customer names, addresses and passwords have been stolen.

In 2014, $71 billion was spent on combating hackers, phishing and malware but the most prevalent reason for successful data security breaches is weak or recycled passwords. For the advisor, data breaches are one of those potential nightmares that are too terrible to contemplate. It is therefore imperative to make sure that your office has a password protection policy and implemented password protocols to safeguard client information.

Any password protection policy should –

  • Enforce periodic renewal
  • Minimize password reuse
  • Require passwords be at least a certain number of characters
  • Require a combination of numbers, characters, and cases
  • Prohibit certain words that are easily associated with the user (name, company name etc.)

Chances are you are using two factor authentication in some situations (you have to enter a unique string of numbers generated each time) or even biometrics (using your thumb print to unlock your iPhone). These systems may be safer but they are more difficult to set up and to share in those situations when you really need someone to access a site for you. A real successor to the password that is easy but safe has yet to arrive. Until it does, the best an advisor can do is implement and enforce a password protection policy.