Weak passwords only part of the cyber-security problem

Two months into 2013, one cyber-security expert deemed it “the year of the hack.” Nine months later, North American retailer Target was hit with a massive data breach. Then, in 2014, more than 1 billion records were compromised, notably at Home Depot and Sony, and that year also was labelled the “year of the hack.”

But even on the heels of those high-profile breaches, the two most common computer passwords in 2015 were “123456” and “password,” according to SplashData, a supplier of security applications.

Bad passwords – and weak password policies – are by no means the only worry organisations have when it comes to cyber-security. But the reliance on easy-to-guess passwords shows that more cyber-defence education is needed.

SplashData compiled its list this year from more than two million leaked passwords, mostly in North America and Western Europe. There has been little change since 2011 – in fact, the only change at the top was when “123456” unseated “password” for the No. 1 spot in 2013. (Then and now, “password” remains alive and well at No. 2.)

Tommie Singleton, CPA/CITP, CFF, recommends several steps organisations can take to improve cyber-security efforts related to passwords. But Singleton, director of consulting services at US accounting firm Carr, Riggs & Ingram, cautions that relying on strong password policies alone is not nearly enough.

Hackers are finding other ways to break into systems, sometimes getting unsuspecting users to click on a link or attachment that installs a keylogger, a type of malware that enables the hacker to record and monitor the user’s keystrokes. No matter the password – from “111111,” 14th on the SplashData list, to “Hello!How@reYou” – the hackers know the password and are able to access data and systems. Singleton’s three recommendations:

  • Have a robust password policy
  • Train employees about data security
  • Undergo a thorough risk assessment

Four-pronged approach

A strong password policy has four facets, according to Singleton. First is the strength of the password itself: longer words and phrases with a diversity of keyboard characters (lowercase and capital letters, symbols, and numbers) are better. Second is the number of times a password must be changed. Creating a new password every 60 days is better than allowing a password that can remain unchanged for six months.

The third characteristic of a strong password policy is a timeout function, which automatically logs a user out of a system when there is no activity for a set amount of time. And fourth is a policy that includes lockouts – meaning that when a user types an incorrect password, say, three times in a row, the user must wait for an hour to try again or contact the IT department to regain access.

Education is key

Singleton said that small businesses in particular might take a less stringent approach to cyber-security because they think their size makes them less likely to be a target of hackers. Big companies might have more assets to grab, but they also have more money to devote to cyber-security. The chances of getting into a smaller entity’s system, and getting out before being detected, are greater.

That’s why educating employees, no matter the organisation’s size, is important. Basic but important advice for employees: Don’t click on suspicious-looking attachments or links in email, and report suspicious email to your IT contact.

Going beyond passwords as protectors

The continued lack of imagination in passwords doesn’t surprise Singleton. Perhaps a company’s leaders don’t understand cyber-security issues, or perhaps the leaders themselves don’t want to remember a complicated password. And even if organisations enhance password security, they have more work to do in keeping hackers out.

“Passwords are becoming passé as the line of defence,” he said. “If the risk is the password, and we’re focused solely on that being the best defence, then the answer is a stronger password. But today, that’s not a full enough response to adequately protect yourself.”

Related CGMA Magazine content:

6 Ways to Become More Resilient to Cyber-Security Threats”: Despite efforts to do a better job handling cyber-threats, financial institutions worldwide are still outdone by nimble cyber-criminals. Here are tips for how financial institutions can become more resilient.

Cyber Concerns Show No Signs of Cooling Off, Former US Homeland Security Chief Says”: With growing connectedness of devices and infrastructure, cyber-security concerns are also going to grow, Tom Ridge, the former secretary of the US Department of Homeland Security, said at the AICPA CFO Conference.

Neil Amato ( is a CGMA Magazine senior editor.