How to Recognize the Challenge?

NordPass released the most common passwords list for 2021. According to the list, the table below is the top 10 most common passwords in Taiwan.

As usual, the passwords with sequential numbers are commonly seen passwords. According to ID Agent, about 81% of data breaches are due to poor password security. Therefore, for IT managers in a company, it is important to make employees set strong passwords and need to prevent setting weak passwords. If an account is compromised because of a weak password, no matter how secure protection IT manager does to servers, hackers can easily get into servers.

Standard tips to strengthen the password

These are basic tips to keep passwords strong.

Contains number, uppercase, lowercase and symbols with good length

There is an attack called "Brute-force attack". This attack will input all the possible combinations of passwords to steal the right password. Let's say there is a 6 characters password with a combination of number, uppercase and lowercase (62 different characters). The number of possible combinations are 56,800,235,584. If the password length is 7 characters, the number of possible combinations will be 3,521,614,606,208. Even adding 1 character will make a big difference on possible combinations. Therefore, using different types of characters with having enough length of password makes password strong.

Make it nonsense

There is an attack called "Dictionary attack". This attack will attempt to login using a dictionary of commonly used passwords. Usually, this dictionary is created from password data which was breached in the past. This makes it a lot more efficient to find the right passwords compared to brute-force attacks. By making passwords into really random nonsense characters, the user can avoid passwords to be obtained by dictionary attack.

Do not reuse passwords and update regularly

If the user uses the same password for multiple services, once a hacker compromises one of the accounts, the hacker can use the same passwords to login to different services. To minimize this possibility, it is important not to reuse passwords for different services. Plus, if we see the risk that passwords are breached in a place which we are unaware of, it is better to update passwords regularly. By updating passwords regularly, the period of hacker to have a valid password becomes shorter even if there is a password breach.

What HENNGE One can do to keep password of employees strong

HENNGE One Access Control is the cloud service which provides a secure Single Sign-on solution for the company using SaaS services. When a user uses HENNGE One Access Control and tries to sign-in to SaaS service, the user will be redirected to HENNGE One sign-in page. Once the user is authorized in HENNGE One, the user can sign-in to the SaaS service with HENNGE One credential. And, the user also can sign-in to other SaaS services with the same HENNGE One credential. Since the user only needs to sign-in once, this way of signing-in method is called Single Sign-on.

Since Single Sign-on is the feature where a user login to another service by credential, the user doesn't need to think about setting or remembering different passwords for different services. All users need to remember is the password for HENNGE One.

Plus, HENNGE One provides the function to regulate the password. The admin can configure to require the user to set a longer password and also can require the user to contain number, uppercase, lowercase and symbol in the password. By doing so, HENNGE One can avoid the risk of users setting weak passwords.

Beyond the password authentication

In 2020, there was news that almost 235 million Instagram, TikTok and YouTube user profiles were exposed online. And according to an article by Security Boulevard, 73% of users duplicate their passwords in both their personal and work accounts. This means even if a company tries hard to protect passwords by themselves, there is always a chance that passwords can be leaked by consumer apps and those passwords can be used for attacking.

One of the ways to prevent this is to have multi-factor authentication(MFA). MFA usually requires the user to have not only a valid account but also a valid device. HENNGE One can provide push authentication using an app called HENNGE Lock to make MFA possible.

Another way is to authenticate by device. HENNGE One can issue a Device Certificate to each device. This function will require the user to have a valid device to sign-in to services by requesting Device Certificate to sign-in. And, since it is a lot harder for hackers to compromise Device Certificate, it is a safer way to authenticate compared to ID/Password method.