If you’ve been following my recent posts, I’m sure you know the drill by now. This time we will be tackling the contentious subject of Passwords.
We have always had a love/hate relationship with passwords (though I’m sure we can agree that it’s mostly hate). They have been the most universally efficient way of authentication for decades and, unfortunately for some, they are still of use in today’s modern technological society. With the plethora of accounts we all have set up – from email, social media, video streaming, music streaming, and so on – each one requiring a password, it’s probably hard, not to mention tedious, to keep track of them all.
In this week’s edition of our information security knowledge nugget, I wanted to share some useful tips and tricks when it comes to passwords, as well as some rationale on why it is so important to keep them safe and out of the hands of cyber criminals.
Ensure that passwords are Unique across all accounts
Apart from being general good practice, this will restrict the possibility of a malicious actor using a leaked password and username combination from one site to access all of your accounts from all the other services you use. This is standard practice for criminals.
For password creation, Length is key!
The longer your password is, the longer it would take conventional hacking tools to crack it. Ensure that your passwords are at least 16 characters long and try to utilise the “3 random words” method whereby you take three random words and string them together to make a passphrase. To get an indication of how easy a password is to crack, pay a visit to the How Secure Is My Password page at Security.org. This page can show you how long a conventional computer with standard password cracking tools will take to crack the password you put in the text box. The longer it is, the higher that value becomes.
Do not create “Common” passwords
Never use common words such as “Password”, your first and/or last name, or any other publicly available information about you when creating passwords. These will make it easier for malicious actors to crack or guess them.
Never share your personal passwords
Passwords are like underwear, they’re not meant to be shared, especially when linked to personal accounts so keep them to yourself.
If a breach occurs, Change your password immediately and Never use that password again.
This one may seem obvious, but it is key to protecting yourself from being the victim of an attack. As soon as a data breach from a service where you have an account is disclosed, log in to your account from the official portal and change your password, even before you are contacted by the relevant company. What’s more, ensure that you never use this password for any of your accounts again, especially when they are tied to the same email address. If you’d like to check whether your email address has been involved in a breach in the past, take a look at Have I Been Pwned?. It’s a great resource querying a huge database full of accounts that have been involved in data breaches so you know if it’s time to go in and change your password to be safe.
Where possible, implement Multi-Factor Authentication (MFA)
As discussed in a previous article, MFA is a useful tool to add an extra level of security to your accounts, whereby if a malicious actor gains access to your password, they will still need the second factor in your sole possession to access your account, rendering their possession of just the password somewhat useless.
Utilise a Password Manager to store all your passwords securely
If you feel like you have too many passwords and are finding it close to impossible to remember them all, try using a password management solution. There are a host of solutions available, some with free tiers as well as paid or enterprise tiers, so there are options available for all.
Don’t implement regular password change requirements
Contrary to popular belief and years of implementation in corporate environments, the latest guidance actually steers away from implementing policies that enforce the regular rotation of passwords. The UK National Cyber Security Centre (NCSC) latest guidance on passwords actually suggests that admins do not enforce regular password expiry for a number of reasons. If strong password creation policies, an effective staff leavers process, security awareness and monitoring are in place, then there should be no need to apply regular password expiry in a corporate setting.
Luckily for most, the age of the password is fading, and all the big tech players are working towards alternative methods such as passkeys based on FIDO standards. Companies like Apple and Google have already started rolling out this technology to certain devices with the aim being to eradicate the need for passwords once and for all.
That being said, we are still far away from getting rid of passwords completely, which is why I have chosen Passwords as the topic for this week. How to create effective passwords, and properly manage and secure them needs to be top-of-mind for all.
Now go forth, set long passwords and keep them secure!