Passwords Still Pose Big Security Risks

Register now

Some of you might be thinking, “Why is the PCI Security Standards Council so focused on the basics, like password security, with all these ‘advanced attacks’ going on right now?”

The truth is, many security breaches occur from the most obvious and simple measures being overlooked, or users simply being unaware of the potential dangers.

Let me ask you this: What is your computer password?

Would you be hesitant to share this with me? What if I sweetened the offer with a bar of chocolate in exchange for your password or a Starbucks gift card?

Whenever I think of the “password issue” I am reminded of an old survey conducted years ago, and repeated a number of times over the years. In this study, they offered office workers in central London a chocolate bar for their computer password. In one year’s results, 45% were willing to provide their password to a stranger in exchange for a chocolate bar. But that was years ago, and with all the computer security headlines over the past few years, things have changed, right?

Now maybe folks in financial services or IT security communities might be reticent to share this information. However, this it isn’t the case in the world at large, and especially among small businesses, even though there are security breach headlines almost daily.

Easily guessed passwords or weak passwords on payment systems is one of the leading methods criminals use to steal valuable credit and debit card information from small businesses today. Many “advanced data stealing attacks” happen simply from poor password practices.

According to an annual security report issued by Trustwave, “Password1 is still the most common password used by global businesses. Of three million user passwords analyzed, 50% of users are using the bare minimum.”

We can do better than the bare minimum. Most criminals will go for the lowest-hanging fruit. A few simple changes, including implementing strong, complex passwords can make businesses less vulnerable to compromise. As we shared in a recent password infographic, users that take the time to create strong, complex passwords minimize the time it takes for a successful brute force attack from 0.077 seconds (in a non-dictionary password, “bigmac”) to 344,000 years (in the example, “B1gMac&fries).

Yet, many users aren’t even aware that there’s a password on their payment systems, let alone where to find it or how to change it.  

Many of the greatest protective measures you can take to secure confidential information are also the most simple. While attacks have incrementally gained in sophistication, they often aren’t immune to being detected and stopped before the damage has been done. In light of this, we are not trying to reinvent the wheel; we are simply focused on finding the simplest remedy to help small businesses reduce their chances of being breached and protect their customers.  

Bob Russo is general manager of the PCI Security Standards Council.


For reprint and licensing requests for this article, click here.
Data security Analytics