Poor Password Security: Hackers Already Have Your Passwords

Author: Craig Pollack Date: Aug 07, 2018 Topics: Cybersecurity

What if you were told protecting your online accounts was virtually impossible in today’s cyber crime environment? According to Experian’s Data Breach Industry Forecast 2018, “Weak or stolen credentials continue to top the list of attack vectors, while traditional authentication continually fails to protect against cyberattacks.”

Poor password security is frequently a major cybersecurity weakness for most organizations as well as for individuals. The reason these password security compromises occur, in many cases, is because cyber criminals launch a variety of attacks — hacking businesses of all sizes to gain their users’ data, using malware and phishing scams, using bots to systematically locate and attack weaknesses in businesses’ cyber defenses — to gain access to users’ credentials and other account information. If even just one of these attacks is successful, they essentially hold the keys to your kingdom.

You may ask: “How strong is my password?” If your password contains common mistakes like using all lowercase letters, pet or family members’ names, the word “password” in it, or not using uppercase letters, numbers, or symbols, the answer is “not very.” Strong password security is the antithesis of these things and should contain a mix of lowercase and uppercase numbers, symbols and, ideally, should lack any words that are found in the dictionary. And, we cannot emphasize this enough: A secure password is one that is not recycled with any other account!

The importance of cybersecurity can’t be overstated and contributes to the best cyber crime prevention for your organization. As a managed security service provider (MSSP), we understand the challenges and threats your business faces in this increasingly dangerous digital world. To help keep your business and credentials as safe as possible, here are a few of the things you can do to increase your cyber defenses and respond in the event of an attack.

The Dark Web is a place on the internet that consists of encrypted networks that are not searchable by conventional search engines. Anonymized users can access this area to buy and sell virtually anything — individual and business credentials, personally identifiable information (PII), medical records, account info, hacking services, weapons, drugs, and even people (human trafficking).


Dark Web monitoring services is a great way to figure out whether your credentials are available and being sold or bartered on the Dark Web. For example, when we perform a Dark Web scan, we’ll search that shadowy area on behalf of our clients to determine whether their information is available there to help them stay informed. This service is part of our managed security services suite.  While one of the newest tools in our toolkit, we're finding that this is also one of the greatest ways to stay ahead the hackers.

What to Do If Your Credentials Have Been Stolen

When your organization’s password security has been breached by a malicious user, it's one of the worst feelings. It also means that you need to move quickly to prevent any further damage. A study from the Federal Trade Commission (FTC) showed that it only took nine minutes for identity thieves to try to use fake customer data that was leaked on a website. It takes longer than that to get a cup of coffee at some big chain coffee shops!  

If you’re like most of our clients, you’ll have a business continuity (BC) plan in place to aid in your response and recovery in the event of this type of situation. However, if you don’t, here are some of the things you’ll immediately need to do:

  • Notify everyone who is part of the recovery process.
  • Lock down your network and quarantine the cybersecurity threat as soon as possible to prevent further damage.
  • Investigate to assess what has been compromised or affected by the password security compromise; gather all available information and records on the assault.
  • Change all user account and password security information.
  • Inform law enforcement (if applicable) and the federal government of the cybersecurity breach if the attack affects sensitive data, national security, foreign relations, public health, etc.
  • Inform your customers as soon as possible — speed is of the essence so they can do what they need to do to protect themselves or their businesses.
  • Follow up with a written or electronic notification, depending on your state’s regulations (in California, the law provides a precise communication template you can follow), to your customers detailing some standard information about the cybersecurity breach — what information was compromised, when it occurred, etc. — and providing contact information for them to follow up for additional information.

Use Two Factor Authentication/Dual Factor Authentication

Don’t leave the safety of your organization and its data to the protection of basic password security alone. Two factor authentication (2FA), also known as dual factor authentication (DFA), is a type of multifactor authentication method that is an incredible cyber protection tool. This two-step verification process is a security protocol that adds an extra layer of security to any basic virtual platform. It requires two out of three components (or “factors”) of identity verification that confirm you are who you say you are — something you know (like a password, catchphrase, favorite ice cream), something you have (such as a verified mobile device, generated code, or security token), or something you are (a biometric identifier, such as a fingerprint, facial scan, or retinal scan).

Without a doubt, adding 2FA to your network login is one of the strongest ways to ensure that no one can access your network without authorization.  

Implement Cyber Awareness Training Across the Board

In addition to 2FA, one of the best cyber defenses is having a solid human offense. What I mean by this is the idea of building a “human firewall” — which entails the use of a cybersecurity user awareness training program in conjunction with other initiatives.

This form of cybersecurity training aims to help users increase their knowledge about cyber threats and best practices so they can identify potential threats and know how to respond accordingly.

When it comes to building a human firewall, there are four components:

  1. Performing Baseline Testing. This step uses simulated phishing attacks to gauge a baseline level of how vulnerable your business is concerning your employees’ cyber prowess.
  2. Training All Users. Cybersecurity training needs to be mandatory for everyone from the frontline employee all the way to the CEO. Training needs to provide current, engaging, interactive, and on-demand content that includes common scenario-based traps, exercises, and hacking demonstrations.
  3. Phishing All Users. Systematically test your users on a regular basis with automated and ongoing simulated phishing attacks. This helps to keep password security and cybersecurity hygiene top of mind for your employees at every level.
  4. Managing by Results. This last step is important because you use it to assess and fine tune your processes and training offerings based on the new information you receive.

As an IT security service provider with more than 25 years of serving the greater Los Angeles area, we've seen a lot over the years.  And more and more of what we're seeing these days as it relates to security hacks, breaches, and threats is, unfortunately, the result of too many businesses NOT taking cybersecurity seriously enough.  Again, just a few of these simple things can take your technology from a target to secure.

We hope that this information has been helpful.  Hopefully, you know where your business stands concerning its cybersecurity stance and password security to prevent future attacks.  If not, please download our free Cybersecurity Report Card to help you evaluate this by clicking on the link below.

Has your business fallen prey to cybersecurity attacks? What other recommendations might you have about ways to increase password security? Share your thoughts in the comments section below, or send me an email to chat about this topic more in depth.

New Call-to-action


Craig Pollack

Craig Pollack

Craig is the Founder & CEO of FPA Technology Services, Inc. Craig provides the strategy and direction for FPA, ensuring its clients, business owners, and key decision makers leverage technology as efficiently and effectively as possible. With over 25 years of experience building the preeminent IT Service Provider in the Southern California area, Craig is one of the area’s leading authorities on how small to mid-sized businesses can best secure and leverage their technology to achieve their business objectives.