We all know our passwords probably aren’t as safe as they should be, but would it take a hacker nine months to guess yours, or 25 seconds?
How important are strict password policies?
Users today are inundated with passwords they must remember. Think about it. Website logins, email accounts, social media accounts, banking accounts, smartphone passcodes, ATM pin numbers, and home security system alarm codes all require some type of password.
Creating a strong password policy is key to helping users safeguard these critical systems they rely on every day. While additional complexity can seem like an inconvenience to many users, it shouldn’t prevent a strong password policy from being implemented in our office and must be applied to all, especially for Managed Service Teams.
If you or your users fall into this statistic and one of your passwords is compromised, you put yourself at risk of losing confidential information from other sites as well.
As hackers use various approaches to crack passwords including intelligent guessing, dictionary attacks, and brute-force automated attacks. Given enough time, an automated method can crack any password.
When it comes to security breaches, we’ve seen an escalation of security breaches. Even major brands have had systems compromised exposing user passwords. While administrators quickly respond and notify users by forcing password changes, their efforts are limited to their own site.
Changing a password with one site is not always enough. Chances are that compromised passwords are used elsewhere, leaving users vulnerable to hackers.
This chart, created by Reddit users who have systems with data sourced from HowSecureIsMyPassword.net, shows how long it would take a hacker to “brute force” their way into your account, depending on how long your password is and what kinds of characters it includes. What they would do is run a program that systematically attempts every possible permutation of the letters, numbers, and symbols involved in the password until it hits the right one.
For certain passwords, breaking into your account would be pretty much instantaneous. But the longer your password is, and the wider the variety of characters you use, the longer it’ll take, to the point that you really don’t need to worry about the security of your accounts.
Huawei Recommended Cyber Security Action
In this critical time, business leaders in Huawei have a heightened responsibility to set clear expectations about how the company manages security risk in the new work environments, leveraging new policies and technologies, and empowering their Teams.
It’s important that messages on security come from Top Management, and that good examples are set from the start. Here are some recommendations for the top management and leaders based on Huawei’s experience.
1. Understand the threats to your Account.
Huawei Business Group Heads should work with their assigned security interfaces to identify likely attack vectors as a result of more employees working from home and prioritize the protection of their most sensitive information and business-critical applications.
Provide clear guidance and encourage communication. They must ensure that home-working policies are clear and include easy-to-follow steps that empower employees to make their home-working environment secure. This should include instructing employees to communicate with their direct managers about any suspicious activities.
2. Provide the Right Security Capabilities.
Ensure all Huawei-owned or managed devices are equipped with essential security capabilities, extending the same network security best practices that exist within Huawei to all remote environments. These critical capabilities include:
- Using only Huawei internal tools and other tools that only recommended by IT
- Make sure to use strong passwords for work laptops and system accounts.
- Keep company assets such as laptops in safe places, especially if working outside the office.
- An ability to block exploits, malware, and command-and-control (C2) traffic using real-time, automated threat intelligence
- An ability to filter malicious domain URLs and perform DNS sink holing to thwart common phishing attacks
How Individuals (Staff) can respond
Individual users must be empowered to follow the guidance provided to them by Security Interfaces and Top Management and take preventative measures.
1. Maintain good password hygiene.
Employees should use complex passwords and multifactor authentication where possible and change these passwords frequently.
2. Secure your WiFi access point.
People should change their default settings and passwords in order to reduce the potential impact on their work of an attack via other connected devices.
3. Be wary of COVID-19 scams.
We’ve seen phishing e-mails, malicious domains, and fake apps out in the wild already. Threat actors love to exploit real-world tragedies, and COVID-19 is no different.
4. Update systems and software.
Individuals should install updates and patches in a timely manner from only Huawei’s official website.
5. Don’t mix personal and work.
Employees should use their work devices to do work and their personal devices for personal matters. If you wouldn’t install or use a service while you’re at the office, don’t do it while at home on your work device.
The report is from Huawei Uganda CSPO Mr. Kevin.