In the last few years, companies like Yahoo, Target, and more recently Equifax have become victims of large data breaches affecting millions of people. No matter what type of organization you are—corporation or nonprofit—protecting your users is paramount.
A secure, protected website not only decreases the likelihood of sensitive information getting into the wrong hands but also establishes trust with your patrons or donors. They’ll feel more comfortable using your website and storing their information on your site.
Organizations can use several ways to keep their information secure, but among the most popular method is through passwords. Passwords protect more than just the users’ access to their individual accounts; they’re also used internally to restrict access to sensitive information.
However, many experts have revealed that passwords aren’t the most secure tools to protect your website.
- Frequently changing passwords can lead to weaker website protection.
- The average website password is too similar.
- Generating a random password is difficult.
- Password managers can provide a false sense of security.
- Cybercriminals know all the password protection rules.
- Password protection for websites is placed on the user.
We’ll dive deeper into each of these six concerns as well as provide solutions that can help strengthen your website’s security. Let’s get started!
1. Frequently Changing Passwords Can Lead to Weaker Website Protection
One of the primary password security rules that organizations follow is requiring employees to change their passwords on a regular basis. How frequently employees should change their passwords is up for debate, but, generally, it’s required every couple of months.
The logic behind changing your password regularly is to make it more difficult for cybercriminals to access your employees’ accounts. If a hacker uses software to run through every possible password option (which could take months), the process becomes ineffective if the password is constantly changing.
Moreover, if a hacker does gain access to an employee’s account, it would only be temporary as the password would change.
The reality is that making frequent password changes can actually weaken your website’s protection.
Think about it this way: coming up with a strong password is difficult not to mention hard to remember. Asking employees to create a new, secure password every month can lead to the opposite effect.
In order to save time and create a password that’s convenient to remember, employees will opt for something simple.
Accounts with simple password protection are easier to crack, therefore negating the benefits of regularly changing your password.
Alternatively, your organization should require employees to create one strong password that they can keep for the entire year. If you want to learn more ways to improve your login process, check out Swoop’s list of modern ways to update the password and username login process.
The bottom line: Frequently changing passwords can lead to weaker accounts which will take hackers less time to crack.
2. The Average Website Password Is Too Similar
Nowadays, people have to juggle multiple passwords at their job and in their personal lives. With so many accounts to juggle, it’s a challenge to remember every password.
As such, many people have defaulted to using similar passwords for all their accounts and you can bet your employees are doing the same. In fact, 54% of people use no more than 5 passwords across all their online accounts.
What’s more is that many people aren’t using strong passwords either. In a recent study, the five most used passwords were:
When your website is protected not only by very similar passwords but also weak ones, your information has a higher risk of getting into the wrong hands.
If users create similar passwords for your organization’s accounts and databases, it will make it easier for hackers to access even more information, in a process known as the domino effect. By cracking one password, they’ll have access to multiple accounts, putting more of your information at risk.
Of course, you can enforce password security best practices to ensure that your employees create stronger passwords but many of the tools used to test the strength of a password aren’t effective.
For instance, running “Angela123456!” through some of the most reputable password checkers rates this as a strong password. It uses a combination of lowercase and uppercase words, numbers, and symbols. Plus, the password is 12 characters long.
[add chart with password checkers]
However, this password is still weak for many reasons. The password:
- Starts with a name. Names and other dictionary terms are easy to crack using software. Also, users should never create a password with their personal information as this data can easily be found online and will be the first thing cybercriminals check.
- Uses an easy-to-guess series of numbers. The name is followed by the numbers 1-6 in sequential order, another factor that makes this password easy to guess as “123456” is the most common password used in online accounts.
- Ends with a common symbol. Starting with a word, capitalizing the first letter, and ending the password with a symbol is a common formula that cybercriminals will look for when hacking accounts.
As you can see, password checkers can be unreliable when it comes to creating a secure password, so it might not be the most effective way to enforce employees to create unique, strong passwords.
The bottom line: Since employees have to juggle multiple accounts, they often use similar passwords to make them easier to remember. However, this makes it easier for hackers to access your information.
3. Generating a Random Password Is Difficult
Now that we’ve revealed some of the most common weaknesses of password creation, you’re probably wondering what your organization can do to create stronger passwords.
An ideal password should avoid any dictionary words and patterns. The most secure passwords are generated by random with no personal connection to the user (names, birthday’s, etc.).
These passwords are the hardest to crack because they make no logical sense, aside from guessing every character combination, which could take multiple years with a computer program, there is no easy way to guess your credentials.
So why don’t more users create random passwords?
As we’ve mentioned earlier, complex passwords are difficult to remember which can make logging into an account time-consuming.
Users will either have their password written down or stored in a different location (another unsafe habit), constantly reset their password if they can’t remember it, or settle for a less secure password that’s easier to remember.
The second challenge is that our brains focus on patterns, making it nearly impossible for users to create random combinations.
When asked to create a password most people press a string of keys on their keyboard like “qweasdzxc” that’s still easy to guess because it follows a simple pattern: using the first three letters of each row on the keyboard.
Ultimately, no matter how many password security best practices you implement, users will gravitate toward patterns.
Instead of trying to enforce password security best practices on your employees, organizations need to focus on other ways they can protect their websites and user data.
The bottom line: Humans have a hard time creating random passwords, so instead of trying to create the most secure password possible, organizations need to put other security measures in place to keep hackers at bay.
4. Password Managers Can Provide a False Sense of Security
Password managers are often the solution organizations use to resolve some of the many challenges associated with passwords.
If you’re not familiar with the term, password managers are programs that help you manage all of your accounts under one master password. LastPass, Keeper, and Dashlane are all tools that will store your account information and come with features like:
- Automatic login
- Password generator
- Tips and strategies to create strong passwords
The idea is that these features will encourage users to create more complex passwords using the features provided. The information will automatically be generated in the proper fields when a person lands on the page.
While these features can be beneficial, having all of your employees’ information under one account is risky. If a cybercriminal gains access to an employee’s master password, the hacker can do much more damage than if he had access to only one account.
Additionally, users are likely to follow the same poor password creation habits when they make their login for the password management program. As a result, your employees would have more protection if they kept all their accounts separate.
5. Cybercriminals Know All the Password Protection Rules
With evolving software, cybercriminals are able to use computer programs that can make billions of guesses per second. These tools make it easy for hackers to crack a password in a matter of days or months depending on its complexity.
Generally, hackers use these tools to crack a keyword or code to gain access to encrypted information, and there are two primary ways this is achieved:
- Brute-force attack. The hacker uses a computer that will systematically check all password combinations until the program reaches a match.
- Dictionary attack. This tool works similarly to the brute-force attack, but only checks words in the dictionary. It will only try combinations that are most likely to succeed, which can make the method faster at cracking the code.
Moreover, these programs are aware of all the common formulas and best practices for passwords. Any password that uses popular rules will take less time for these tools to guess.
Once hackers get access to your user database no level of password protection on your website will keep your or your users’ information safe.
The bottom line: Technology allows hackers to make more guesses per second so that weak and complex passwords take a less time to crack.
6. Password Protection for Websites Is Placed on the User
As you read through the first five reasons, you might have realized a recurring theme: your website’s security rests on your employees’ shoulders and the passwords they create. The same can be said for your users’ accounts.
When faced with the pressure of creating a password many users choose convenience over security because they want a password that’s easy to remember. That way, they don’t have to waste time creating a new password if they can’t log into their account.
Instead of putting all the pressure on your employees to create secure passwords, organizations need to look into systems that protect their information. If organizations spent more time locking down their websites and protecting the passwords they do have, there would be fewer data breaches.
There are several ways organizations can ensure the safety of the users’ information. These are the 2 most innovative options:
- Email Authentication. Users will simply click a button that directs them to a pre-written email. Once they hit send, users will be able to access their accounts. This secure method uses a unique key that links your email with your account.
- Biometrics. With face, eye, and fingerprint scanning, you’ll be able to enter your account once you’ve been verified. Since biometrics is unique to each individual, this login method is difficult to replicate.
Even free login and security plugins can make a huge difference for your users. For instance, you can see how email authentication verifies the user’s identity and keeps the individual’s information protected.
Each of these methods has their advantages and disadvantages, which you can learn more about in this helpful article.
Overall, these methods don’t put the responsibility on your employees’ hands. Moreover, if users are creating weak passwords, the additional verification makes it more difficult for cybercriminals to access your information.
The bottom line: One of the biggest flaws with passwords is that all the hard work of creating a secure string of characters is the user’s responsibility. Instead of focusing on making stronger passwords, organizations should concentrate on other ways to secure their information.
While strong passwords may not be the solution, your organization should be aware of their weaknesses and always be on the lookout for ways to enhance your security.
For more tips on how to keep your website and user information secure, check out these additional resources:
- Password Security Guide: Keeping information secure is an important aspect of every organization. Learn all the do’s and don’ts of password security as well as some alternative ways you can keep your data protected.
- Passwordless Authentication Benefits: Interested in learning alternative ways to keep your data secure? This article dives deeper into the benefits of passwordless login systems.
- Questions About Passwordless Login Systems: Learn more about the common questions businesses and organizations have about passwordless login systems.