If you type the term "password cyberattack" into Google News, the results will show just how often cyber criminals are getting hold of important data belonging to companies and individuals. Weak passwords are a big part of the problem. For instance, in 2023 technology security firm Nordpass reported that "123456" was the most common password in Nigeria, and the second most common password in the whole world.

Thembekile Mayayise is a cybersecurity professional and researcher. The Conversation Africa asked her to outline how employers and employees can improve their password safety.

Why is password security so important?

The spike in cyberattacks leading to system breaches and data leaks has compelled a review of access control strategies. The question has shifted from whether cyberattacks will occur to when and how they will happen.

Passwords and usernames remain a key point of vulnerability as they are still used for access and authentication. Too many people use weak and recycled passwords.

A report by cybersecurity firm Sophos found that the "number of cyber attacks on businesses in South Africa, Kenya and Zambia increased by 76% in 2023." This comes at a huge cost.

Each year various sources publish lists of the most used passwords. Research by NordPass often highlights predictable choices like "123456," "admin," "12345678" and "password."

These passwords can be cracked in less than a minute by highly skilled hackers and those with basic hacking skills. Confidential information is then exposed to theft, deletion or tampering. AI tools are making hacking easier.

In some organizations, passwords never expire, creating opportunities for unauthorized access. In many instances, compromised passwords result in online identity theft. Nor are password-saving features, such as websites offering to auto-save when you create a new account, a flawless solution. Despite the convenience, these platforms pose a risk of credential exposure.

What can companies do differently?

A password policy and corresponding standards should be developed and implemented to meet the company's cybersecurity objectives. How this is done depends on the organization and the type of business. For example, financial institutions and credit card companies may find the Payment Card Industry Data Security Standard to be most appropriate.

Others might find the guidelines provided by the US National Institute of Standards and Technology or ISO/IEC 27001 security standards useful. These standards are used globally.

Companies must ensure that employees are fully informed about the policies and procedures related to password use and that they understand their responsibilities. They should therefore:

• conduct regular awareness campaigns to promote safe password practices and address potential password threats
• follow best practice security standards for user accounts management and password control
• incorporate password-strength meters to assist users in generating more secure passwords
• consider adopting multi-factor authentication, which requires two or more pieces of evidence to authenticate a user—for example a password and facial or retina recognition
• ensure that the password files are encrypted
• conduct regular audits to monitor and ensure compliance with password policies and standards.

This article is republished from The Conversation under a Creative Commons license. Read the original article.