31 October 2023
Cyber Security is not merely an IT concern; it is a fundamental business practice that every business, no matter your size, should be concerned about. At the core of a comprehensive cyber security solution, is an effective and strong password policy. Many businesses may not understand the reasoning for a comprehensive password policy and below we aim to cover why this is important to all businesses, explain the overlooked but critical role of dark web password monitoring, and the non-negotiable importance of Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA).
Password Complexity
It may seem obvious to many, however, the reality is that password complexity is still overlooked by many. The complexity of a password is often the first line of defence against cyber threats, preventing brute force attacks. A password which consists of 7 characters, including upper and lower case letters and numbers, takes less than a minute to crack.
Whereas, a password containing 10 characters, including upper and lower case letters, numbers and special characters, can take up to 5 years! And this vastly increases with the length and complexity of the password.
# Characters |
Numbers Only |
Lowercase Letters |
Upper & Lowercase Letters |
Numbers, Upper & Lowercase Letters |
Numbers, Upper & Lowercase Letters & Symbols |
4 |
Instant |
Instant |
Instant |
Instant |
Instant |
5 |
Instant |
Instant |
Instant |
Instant |
Instant |
6 |
Instant |
Instant |
Instant |
Instant |
4 Sec |
7 |
Instant |
Instant |
22 Sec |
42 Sec |
6 Min |
8 |
Instant |
3 Sec |
19 Min |
48 Min |
7 Hrs |
9 |
Instant |
1 Min |
11 Hrs |
2 Days |
2 Wks |
10 |
Instant |
1 Hrs |
4 Wks |
6 Mths |
5 Yrs |
11 |
Instant |
23 Hrs |
4 Yrs |
38 Yrs |
356 Yrs |
12 |
25 Sec |
3 Wks |
289 Yrs |
2K yrs |
30K Yrs |
13 |
3 Min |
11 Mths |
16K Yrs |
91K Yrs |
2M Yrs |
14 |
36 Min |
49 Yrs |
827K Yrs |
9M Yrs |
187M Yrs |
15 |
5 Hrs |
890 Yrs |
47M Yrs |
613M Yrs |
14Bn Yrs |
16 |
2 Days |
23K Yrs |
540M Yrs |
268Bn Yrs |
1Tn Yrs |
17 |
3 Wks |
812K Yrs |
2Bn Yrs |
2Tn Yrs |
95Tn Yrs |
18 |
10 Mths |
22M Yrs |
7.23Bn Yrs |
96Tn Yrs |
6Qn Yrs |
*Numbers will adapt over time as computing power improves.
Businesses should mandate a minimum length to their password and the use of a mixture of upper-case and lower-case letters, numbers, and special characters in passwords. Using a complex password mitigates the risk of brute-force attacks, wherein attackers use automated software to guess passwords.
Regular Password Changes
The common practice of changing passwords periodically offers an extra layer of security, although it should be approached cautiously. Requiring overly frequent changes could lead to 'password fatigue,' where employees resort to simpler, easily rememberable — and hence, easily crackable — passwords. For example, employees may only change the numbers of a password from Pa$$worD123 to Pa$$worD456. Implementing rules to ensure that passwords can not contain similar phrases or characters can overcome this, however, it is much more important to add an additional layer of authentication to prevent brute-force access.
One Password, One Service
The rule of "One Password, One Service" cannot be emphasised enough, especially in the business world. Using a single password across multiple platforms/accounts magnifies the risk of an account breach exponentially. If one service suffers a breach and details are leaked on the dark web, all accounts with the same password are put at immediate risk.
No Password Sharing
While it may seem convenient in the short term, for example, when employees go on holiday or are out of the office, password sharing among employees poses a grave risk where passwords can grant access to confidential or sensitive information. Businesses must discourage this practice vehemently and should provide secure password management solutions such as Multi-Factor Authentication to business accounts and devices, and temporarily elevated access levels to avoid the need for sharing.
Employee Training and Awareness
Human error is often the weakest link in your business's cyber security. Businesses must regularly educate employees by providing professional training centred around the risks associated with a wide range of cyber security topics, including, weak passwords and recognising phishing and social engineering attacks that aim to steal credentials.
The Significance of Dark Web Password Monitoring
The dark web is an anonymous segment of the internet that lives under the surface of what most internet users use, where illegal activities, including the sale of stolen passwords and other data, are rampant. It's recommended that businesses utilise dark web monitoring services that scan the dark web for stolen credentials such as usernames, email addresses and passwords associated with your business.
Early Intervention
Identifying compromised credentials before they are found by threat actors to be used maliciously against your business, allows businesses to take preventive action quickly. Whether that means initiating password changes, quarantining accounts, or investigating potential malware, cyber threats or potentially other internal threats, early intervention is invaluable.
Regulatory Compliance
In an era of stringent data protection laws (such as GDPR), showing due diligence by actively monitoring the dark web for compromised credentials could serve as evidence of compliance with regulatory bodies such as those associated with GDPR or HIPAA.
The Essential Role of 2FA/MFA
We have an entire article dedicated to this topic, which speaks to the importance of 2FA/MFA for businesses, and how the use of these essential business tools can protect your devices and online accounts.
Added Security Layer
Two-factor authentication (2FA) or Multi-Factor Authentication (MFA) introduce an additional verification step in the login process to online accounts or business devices such as Desktops, Laptops or Servers, via solutions such as a temporary code or prompt sent to a mobile device. This makes it exponentially more difficult for attackers to gain access to your accounts or devices, even if they have the password and is essential when paired with Dark Web Monitoring.
Versatility in Authentication Methods
MFA offers the flexibility to choose various factors for authentication, such as biometrics, smart cards, or mobile apps, allowing businesses to customise their security protocols and even stack multiple of these together as part of the authentication process to give enhanced protection.
Financial Repercussions
The cost of a data breach through access to your accounts extends beyond immediate financial loss. Long-term implications include legal and regulatory expenses, customer attrition through a lack of trust, and a decrease in share value, to name a few.
Reputational Damage
Trust is an intangible asset that takes years to build throughout your customer/client base. However, trust can be shattered overnight as the result of a data breach. Data breaches can have far-reaching implications on a your business reputation, affecting customer loyalty and market positioning among competitors.
Regulatory Implications
Non-compliance with data protection regulations can result in hefty fines, adding to the financial burden post-breach. It can also attract legal actions that could prove damaging in the long run.
Intellectual Property and Competitive Edge
A data breach as the result of poor password policies or account protection risks exposing proprietary information that could give competitors an unfair advantage or could be misused for various nefarious purposes.
How can we help your business?
Nowadays, the need for a comprehensive password and account protection policy is non-negotiable. Policies, complemented by dark web password monitoring and fortified by 2FA/MFA, form the foundation of a robust cyber security strategy. It provides a multi-layered defence mechanism that safeguards not just your business data but the very essence of a business — its reputation and financial stability. Ignoring these integral components is a high-stakes risk that no business can afford.
Reach out to TwentyFour to find out how we can help your business implement a robust Password and Cyber Security strategy and take our Cyber Security Health Assessment to ensure that your business has the right tools and solutions in place to protect against the latest threats that businesses face.
    Help Desk