Password Security – The Good, the Bad and the Ugly
by Russell Gower-Leech, Technical Solutions Architect
When it comes to remembering things, humans can be pretty rubbish at retaining information. Increasingly in our lives we rely more and more on technology to assist us in the form of smart assistants and wearables to remind us of appointments and details. The same applies to passwords: as an average we have approximately 23 online accounts or personas with only 13 unique passwords, which means we are re-using passwords across multiple accounts.
Re-using passwords may seem harmless and even logical: who can really keep track of 23 individual passwords?! But this habit can be detrimental to our cybersecurity. We hear more and more about password data being lost/leaked online and more often than not, our e-mail address is the main anchor for all of our other personas, so if we share the same password between the personas or even our e-mail account and that password is leaked or compromised, we’re giving over the keys to the kingdom!
So, how can you make sure your passwords are secure?
As it’s cybersecurity awareness month, we wanted to share our knowledge with you to make sure you are being as secure as possible online, and a big topic at the moment is how safe and un-hackable our online passwords are.
There are some really simple things we can do to address this risk and what’s great about this advice is that it works right across our personal lives to our workplace. Raising awareness of our personal cybersecurity naturally changes our attitudes to security in the workplace, helping businesses to become more secure as a by-product – so, any business owners or team leaders reading this, take note!
5 Top Tips for better password security
Tip 1: Complex Passwords
Typically, people will use predictable and personal words, such as football team names, pet names, dates of birth, etc. as the basis for their passwords. There’s some interesting research on this as well as a list of the worst passwords to use here Ensuring we add complexities to our passwords can really make a difference to password security. For instance, making sure the password length is between 8-12 characters in length, contains numbers, upper & lower-case characters and special characters (which most IT support services should implement these days) not only makes your passwords that much harder to guess, but also to ‘crack’ electronically. A good example is something like this where we combine random words (Audi & Trees) and substitute certain characters: 4Ud!Tr3e5! Better yet are completely random passwords like ‘m8Pjy5=eFZ%T’ but these are tricky to manage without help (see tip 3)!
Tip 2: Multi-Factor Authentication
MFA (Multi-Factor Authentication), or Two Factor Authentication (2FA) is, as the name suggests, a means of combining another element to your login rather than just a single password. The most common examples of this in your day to day life are those TXT based codes you get from your bank or Amazon account. TXT based MFA is actually one of the weakest forms of MFA and is actively being retired by most large technology companies, but if it’s a choice between TXT MFA and no MFA there’s no choice at all! The best type of MFA is Push Based. This is where you have an App on your smartphone which actively prompts you to authenticate once you’ve put your password in. These are great as they are much more secure than TXT based MFA and have the added benefit of providing a bit of an early warning that someone may be trying to login to your account.
A common solution you may come across is the Google Authenticator which uses a frequently changing OTP (One-Time Passcode). It’s a great free tool for personal use but doesn’t really cut it for businesses as there is no local security for the device. For businesses, combining it with tools like AuthPoint can address this and can reduce the number of MFA solutions you need to manage.
Tip 3: Unique Passwords
Granted this is easier said than done, but having a different password for each account you have is a great way to reduce the impact of leaked/breached accounts, however it can be very hard for individuals to manage. Having your own cipher can help with this: substituting letters with numbers and using a standard format so ‘OneDrive’ becomes ‘0N3Dr1v3!’ for example. However, this isn’t ideal because once your method is known it opens the door to guessing your other passwords. Password Managers are a great solution to this, they allow you to generate and store strong random passwords for each account which you simply copy & paste each time you need to login. You’ll need to be careful which Password Manager you choose and keep the devices it’s synced with to a minimum. Avast has a great tool which is free and built into their AV solution. Even better, this service is only accessible by their applications and notifies you when apps/devices are added, which can be a great heads-up to an attack.
Tip 4: Hack Check/Breach Notification
Some of you may be familiar with services like ‘HaveIBeenPWNED’, which collect data from public data breaches and allow you to search if your account(s) is among them. Again, Avast has a great free service for this which provides pro-active notifications. Once you register your e-mail address(es) should they appear in any new data breaches you’ll receive an e-mail letting you know so you can immediately change your password for that account.
Tip 5: Sharing isn’t always caring
Hopefully this last little tip goes without saying but you should never ever share your account or password with anyone. No emergency Post-It notes stuck to the monitor or under the keyboard -nothing! Businesses sometimes utilise departmental accounts for some staff but these should really be discouraged not just for security but also audit-ability; ensuring the business can track actions back to an individual is key for security, quality and compliance needs.
To sum up…
Improve your cybersecurity and ensure your passwords are secure now by following these tips:
• Be sure to use complex passwords
• Ensure you have multi-factor authentication at the very least
• Try to use a different password for each account if you can
• Sign up to a hack notification service so you can be notified if anyone attempts to use your account
• Keep your passwords to yourself