Top

Passwords & Email Accounts: a Gateway for Hackers

October 25, 2017

Category:

“If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.”

– Richard Clarke

While the former National Coordinator for Security for the United States does make a valid point regarding the importance of a strong security posture, money won’t keep you safe, if your password game is weak.

That being said, if you use the same password for multiple accounts, or use your pet’s name or birthday to log into your email, then it won’t be long until you experience the full wrath of a data breach.

Take 2016 for example – a massive year for data breaches. After analyzing over 10M passwords available on the public web, Keeper Security found that:

  • nearly 17% of users are safeguarding their accounts with “123456”;
  • after years of data breaches due to weak passwords, website operators are still not enforcing password best practices;
  • website operators must take more responsibility for password security.

Keeper’s report also reveals that the top 25 most popular passwords constitute over 50% of the 10M passwords that were analyzed. Some of the most common passwords employed by users to secure their accounts in 2016 were: 123456, 123456789, 987654321, 111111, and qwerty.

Some users, according to the report, tried to get creative and employed what they believed to be unpredictable patterns such as:“1q2w3e4r” and “123qwe. However, given the widespread use of such combinations, these types of “unpredictable” patterns are actually quite simple to predict, making them vulnerable to cyber breaches.

The solution? Stop reusing your passwords and start using a password manager.

“I can tell you for a fact that without a password manager nearly everyone I know re-uses passwords. Otherwise you have dozens if not hundreds of passwords you need to try and remember. Obviously that won’t work,” says Rafal Los, Managing Director, Solutions R&D within the Office of the CISO for Optiv.

What’s more, F-Secure also conducted a study of CEO emails to see “which breached services top executives are linking with their company email address”, and their study found that:

  • nearly one in three (30%) of CEOs have used their company email address to register for a service that was later breached, exposing their password and other details;
  • the most common breached services for CEOs to link their company email with are LinkedIn and Dropbox.
  • 81% of CEOs have had their email address and other personal information exposed online in the form of spam lists or leaked marketing databases;
  • just 18% of CEOs have no leaks associated with their email address.

The study also ranked the professional networking site LinkedIn, followed by Dropbox, Adobe and Myspace as the top breached services to which CEOs linked their company email address. Which begs the question, should CEO’s stop connecting their company email address to sites such as LinkedIn and Dropbox?

“When using a private email, a personal phone number or a home address to register for a service that the CEO uses to conduct official business, the CEO effectively denies the company’s IT, communications, IPR, legal, and security teams a chance to protect the credentials, monitor their misuse or attempts to compromise them and makes it nearly impossible to recover them later,” comments F-Secure CISO, Erka Koivunen. “To an attacker, a CEO who uses private email to register for a service they use in an official capacity, spells a loner – someone who goes it alone and doesn’t bother to rely on his/her staff to provide protection.”

Furthermore, according to Keeper’s security report, out of ten countries, the CEOs most that are  likely to link their email to these services are in Denmark, at 62%, followed by the Netherlands at 43%. Not surprisingly, those least likely are in Japan, at only 9%. The USA currently ranks at 38%, and the UK at 14%.

And it’s not just about passwords – along with email addresses, CEOs are at risk of having other details such as physical addresses, phone numbers and birthdates exposed in the form of spam lists and leaked marketing databases.

“ 81% have had their information leaked in this manner, with CEOs in the UK, USA, Netherlands and France topping the list. Italy and Japan had the lowest numbers of CEOs appearing on these lists.”  

The reality is that you can never be too careful when it comes to protecting sensitive information. All these findings strongly point to the importance of using a unique, strong password for each online account. Reusing your passwords to log into multiple accounts and devices puts you and your company at risk of cyber breaches, which could lead to severe reputational and financial damages.