World Password Day: Why accounts are still being hacked

[German]Why is it so difficult for users in everyday corporate life to adhere to the generally known basics of good password hygiene? Tom Haak, CEO of Lywand, a provider of automated security audits for MSSPs and their SME customers, addresses this question on the occasion of World Password Day on May 1.

Lywand Software offers an automated security audit platform for managed security service providers (MSSPs). Last year alone, the company identified more than three million vulnerabilities for customers. This includes the detection of leaked company credentials. In many cases, it turned out that the passwords were used multiple times for different applications – creating a significantly larger gateway for cyber attackers in corporate environments.

Password hygiene on World Password Day

World Password Day, which takes place annually on the first Thursday in May, is a good opportunity to take a look at the details and investigate what is going wrong.

Security and user experience must be reconciled

What can be criminals' ticket into corporate environments is seen by their owners as a necessary evil in everyday office life: passwords are perceived as inconvenient in view of the large number of applications that users are logged into, as they are associated with a number of hurdles. Due to security requirements, they require a certain length, a variety of upper and lower case letters and the use of numbers and special characters.

The permitted character constructs are so abstract that they are by no means as easy to remember as, for example, the name of your own pet. If you forget the required password, you have to go through the reset process and assign a new one, which is often perceived as cumbersome. All in all, the user experience when it comes to passwords is not ideal.

Avoidance strategies of users

It is therefore hardly surprising that users choose strategies to avoid inconvenience. For example, by using the same password again and again in all new applications. Or, if the input requirements allow it, they choose a password that is weak but easy to remember. Whether weak or strong, users are generally extremely reluctant to change their passwords.

Lywand has found that this is particularly true for web services: users have their browser save their password so that they can log in with just one click in future. This is often the generic default password for the first login. From this point onwards, the access data usually remains unchanged for years.

The user experience must be taken into account

The curious thing is that the recommendations and measures for good password hygiene – strong passwords for every application, secure storage, changing them at regular intervals, activating multi-factor authentication, using password management tools – are familiar to all companies and users. And yet, in reality, everyone is prepared to make compromises in favor of convenience, which ultimately comes at the expense of security.

To counteract this trend and avoid the risk of password procedures being circumvented rather than followed, it can help companies to think about the user experience and incorporate feedback from their employees.

• Which employees need access to which applications and how often?
• When do they have suitable time slots in their daily routines to take the time to reassign passwords for constantly used applications?

Practicable rules can be drawn up on this basis. You can also encourage your employees to get creative. For example, nice personal reminders, formulated as a sentence, shortened to individual letters and enriched with numbers and special characters, make strong passwords – which are also easier to remember due to the personal reference.

Once companies have gained an overview of their employees' workflows, they can consider the extent to which they can support them with suitable tools, such as password generators or password managers. For small companies, it can also be useful to record the measures for password hygiene in a company agreement. This allows a process to be established that harmonizes user experience and security standards.