Why your firm needs to introduce passphrases
The common thinking with passwords has generally been; the more symbols and alphanumerics, the more secure it is. We are now finding that this is irrelevant as we’re seeing passwords containing different symbols and alphanumerics being breached more and more frequently. The reason why is that characters don’t matter, its all about size. And the longer your password is, the less likely your firm is to be hacked.
Brute Force Hacking
In recent years there has been a rise in sophisticated bots which can break into accounts without even requiring the password. All these bots need is a username and then they’ll try a random combination of passwords until they eventually break through. The characters that passwords contain has little impact on these bots, the most effective way to counter them is by setting a longer password.
The above table shows the length of time it takes for one of these bots to crack a password.
Is your firm using something like Admin123? That would take less than a second to hack.
If the password is a longer phrase it dramatically increases the time taken to hack. So if you’ve got a 16 character password you’re safe until the end of the world.
How this happened to an accounting firm
We recently heard about this happening to an accounting firm’s Mailchimp account (this is used by some firms for client email automation). The hacker put the admin email address into Mailchimp then set the brute force bot to run. The accounts password was just 7 characters, so the hacker was in in under a second.
The Mailchimp account contained the contact details of all their clients, which meant that the hacker could send out a mass email instantly. In under 5 minutes the hacker sent an email out to all of the firm’s clients containing ransomware, and before any of the firm were alerted to the hack, 4 of their clients had been infected.
How to prevent this happening to your business
One step your firm can take today for free is to make your team use unique passphrases for every application. The difference between passwords and passphrases is there in the name; instead of using a single word, you use a phrase. Like with any password its best to set this up as something personal or easy to remember so you could use a phrase like this for the following apps:
Xero – Myfavouritecolourisblue
Email – Iliketalkingtomyclients
Facebook – Idontliketalkinginperson
The essential point is that the longer the password is, the more difficult it is to crack. Yes it may be annoying typing those extra 10 characters, but those 5 seconds could save your firm from being breached.
If you want to learn more about how you can secure your business, and how Practice Protect can help you manage passwords easily, then you can book a Cyber Security Consultation with one of our experts here.
This article was written by Jon Melloy, Technical Marketing Lead at Practice Protect, who’s sole focus is protecting accounting firms’ reputations with tools, policies and education to keep data safe without sacrificing convenience.