Scorpion Software Blog

There are numerous password threats or tools used to coerce company employees into giving up their password, either knowingly or unknowingly. Hackers wishing to gain access into an account will use a variety of methods including phishing, guessing, shoulder surfing, a dictionary attack or keystroke logging. Each one of these methods is used as a way to capture a password and gain access to company information. It is essential for every employee to minimize their exposure to each one of these threats, which can be defined by:

• Phishing – This threat often appears as an impostor email that is used to trick an employee into entering a unique username along with the password. It usually appears as a link to a website that poses to be a legitimate, financial service account, payment processor, or auction site. Typically, an employee will type in confidential information to the bogus site without realizing it is not legitimate.

• Guessing – Human behavior is a funny thing, as it is so often predictable. Without strict company policies firmly in place, an employee will likely create an extensive list of very simple passwords that can be easily guessed. Many passwords are often used by employees including “password”, “passcode”, “12345”, “qwerty”, “admin”, or any row of letters directly off of the keyboard. It might also include names, dates, birth years, or any combination of these choices. Guessing is extremely easy for an online hacker, who understands the predictability of human behavior.

• Shoulder Surfing – Anytime an employee is out in a public area including the airport, library, café, restaurant, or mass transit, it is easy for others to look over their shoulders and do “shoulder surfing”. By watching the employee type in their password, it is easy to steal this valuable information to gain access to a company account. Even if the employee is not logging in to a company account, they most likely use the same password for their private accounts as they do for the ones at the office.

• Dictionary Attacks – Using a specialized software program, online cyber-thieves can let their computers easily guess employee passwords by trying every word in a dictionary, along with unlimited combinations of words, and numbers, symbols, and signs.

• Keystroke Logging – There is an endless variety of Trojan horses, programs and viruses that can instantly, and serendipitously, install themselves onto any computer at the office or at home. These effective programs can easily capture and communicate exactly the type of keystrokes we make while logging on to accounts online. Almost instantly, the keystroke logging software program will send information of exactly what words are used for user ID, followed by the exact typing of a password, passphrase, or password combination.

Great Password Practices

When employees take a proactive approach at safeguarding passwords to deter others from gaining access into company accounts, they can always follow these three great password practices, which include:

• Guard against Phishing – Never click on a link in an email. Instead, go directly to the company website and login to your account at their location.

• Guard against Guessing and Dictionary Attacks – Create passwords that are at least eight characters long that include uppercase, lowercase, numbers, and symbols which cannot be easily guessed.

• Guard One Account from Another – Always create a unique password for every account. If the hacker gains access to one of your accounts, they will not have access to any others.

Although it is always up to the company IT manager to direct employees on the best practices and procedures for developing effective passwords and passphrases, it is the responsibility of every employee to safeguard critical, confidential information. By using a password manager and two-factor authentication, companies can minimize the potential for online attacks, while safeguarding their vital data. Which brings us back around to the big question: How many passwords fit on a single sticky note?

…Zero.

Probably the easiest way for a hacker to gain access into a company account is to watch the employee at their desk. Many employees at their desk often leave their passwords on sticky notes in plain sight of any passerby. Even the ones that do not use sticky notes tend to find common things in their environment at work to create their unique password. An example might be “pottedplant123”. By writing down any password and leaving the information around the employee’s desk, or choosing a password based on something within plain sight, is an easy way to put the company at risk of being hacked from the inside.