Why Mark Zuckerberg’s password should concern you

Mark Zuckerberg’s password was hacked earlier this month. Not only did he use a simple password – dadada, but he also reused it across different services. Why should this make you worry? Because Zuckerberg’s negligence reflects current password norms that your employees have made a habit out of, including:

1. Using the same password whenever possible;
2. Rotating through a variety of similar passwords;
3. Keeping a written password in a master book of passwords;
4. Using personal information in a password; and
5. Avoiding special characters

Take a quick look at how many passwords each employee has to manage and you will understand why it’s tempting to take the shortcuts. A typical person has to manage work emails, personal emails, banks, social media, just to name a few. When employees are juggling a long list of passwords, it is likely that they will choose convenience over password security and make some of the above-mentioned mistakes. So what can you do to change poor password habits?

Here are a few suggestions:

• Never stops training: Most employees have good intentions However, they still make these common mistakes because they are unaware of the security risks. It helps to schedule ongoing training sessions to educate your employees on password best practices.
• Disable dictionary words for single-word passwords: Dictionary words can be common words likely to be used as passwords, including names, dates or numbers. When dictionary words are used alone or with minor modifications such as with a string of numbers e.g. family123, they can be easily discovered through brute-force attacks. Given that most users tend to opt for such passwords, this can be a difficult requirement to meet. A good way to solve this problem is enabling passphrases.
• Enable passphrases. A strong password is a passphrase that is entirely nonsensical to a password cracking tool but memorable to humans. Passphrases don’t need strict dictionary checks since most passphrases have a minimum requirement of 15 characters, making it harder for a dictionary attack to succeed. The length requirement encourages users to create something like ILuv2PlayS@ccer or T@morrow I leave for Disneyland! which are extremely hard for password cracking tools to guess but easy for users to remember.