We all use online services there’s days, whether it’s for business or pleasure, or maybe paying your taxes.
Almost every service that you use requires a password, and these days your web-browser-of-choice will suggest and generate a strong random password for you. Yet, despite this assistance, it seems that people use the same password for all the websites they visit and, worse than that, will choose an easily guessable password, or using simple password creation strategies like Theresa1 and Theresa2…for different sites.
To highlight the problem, American password security company SplashData lists the 100 worst passwords and it recently published its annual list of 100 worst passwords for 2018. This is done in the hope that, with recognition of the problem, people will try harder to improve their password security. The top 10 are laughable – if it wasn’t a serious matter.
Rank 2018 Password
1 123456 Unchanged
2 password Unchanged
3 123456789 Up 3
4 12345678 Down 1
5 12345 Unchanged
6 111111 New
7 1234567 Up 1
8 sunshine New
9 qwerty Down 5
10 iloveyou Unchanged
So why does it matter? If your online services can be used to buy things or give access to your financial details or company resources, then there will always be people trying to steal from you. Let’s face it, breaking into your online account carries a lower criminal penalty than threatening you at knifepoint so criminals are positively encouraged to move to move towards online theft. Then there is the fact that such crimes can be committed globally. A number of techniques are used by criminals such as guessing (see above), phishing, interception over a network, sneakily watching over someones shoulder, key loggers, and other electronic techniques. My personal favourite though is the post-it note left on someones computer with their main log in details. Nice!
The UK government gives advice on setting passwords and this should be adhered to because although the UK Data Protection Act does not say anything specific about passwords, Article 5(1)(f) states that personal data shall be “Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
This is where I feel that the the legislation could be improved because (logically) as soon as someone unlawfully gains access to your IT then this is a data breach. A data breach is a much more serious matter!
Compliance Compendium can help – we offer a Data Protection Officer (DPO) as a Service (DPOaaS) service and can advise on policies and policy documentation.
And because we also help the not-for-profit sector we have made our software affordable for even the smallest organisations, and simple to use for people not used to using IT. We even offer a free 30-day trial to see if it’s for you, what could be easier?
So, don’t risk it … and don’t get caught out. Get compliant, stay compliant, with Compliance Compendium!