Passwords play a huge role in our daily lives, both personal and work. From banking accounts, retail sites, social media accounts and bill payment sites; how many times do you enter a password online each day?
World password day promotes better habits of password setting and falls on the first Thursday of May every year.
It’s a gentle reminder that simply using the same passwords, reusing old passwords or using too simple a password across your online accounts will leave you vulnerable to a cyber-attack. Very quickly all your accounts could be accessed by a criminal knowing just one piece of information.
In celebration of World Password Day, we’ve put together five simple but effective tips to ensure your life and indeed livelihood is protected from being accessed by cyber criminals.
1. Choose your password wisely
Some people have systems to set up complex passwords. Guidance from the government’s National Cyber Security Centre (NCSC) advises that choosing just three random words is a good strategy to adopt, as it provides a good compromise between protection and usability.
When we say ‘random’ this does not mean information which could be quickly and easily found on your social media accounts, such as the name of your dog, children, other half, date of birth etc. It should be three random words – objects that you can see from your desk perhaps – e.g. PencilWiresBanana. You can further develop that system to contain numbers in place of letters e.g. P3nci1WiresB4nana and then even add a special character to make it stronger e.g. P3ncil1WiresB4nan&.
Don’t be tempted to reuse old passwords, as they may have been compromised in the past, and avoid sharing your passwords over email or non-encrypted methods.
If you want to check to see if any of your passwords you use, or have used, have been compromised, we’d advise using free checking tool, Have I Been Pwned.
Microsoft Regional Director, Troy Hunt, created this free resource for anyone to very quickly check if a password they’re using has been compromised in a data breach.
2. Two-Factor / Multi-Factor authentication (2 step verification)
Two-Factor or Multi-factor authentication (2FA/MFA), also known as 2 step verification, is a security system that requires more than one method of authentication to verify that a user is who they claim to be.
The more factors used to determine a person’s identity, the greater the trust of their authenticity and a reduction in the risk that credentials can be guessed or socially engineered from your users during a phishing attack.
Because MFA security requires multiple means of identification, such as a PIN number or fingerprint at login, it is widely recognised as the most secure method for authenticating access to data and applications e.g. you can set up 2FA or MFA on your password manager account.
Another good tip is to set up more than one type of authentication so that you have a backup plan to get into your password manager account, should your first choice of authentication be inaccessible e.g. you lose/break your mobile phone.
3. Password managers
We suggest that you use a unique password for each use. Using a password manager makes this simple by helping you to access many accounts online. These helpful tools are designed to make generating and using passwords easier and more secure.
Some can even automatically enter your password into the app or website you’re accessing without you entering it manually every time you log in – a great time saver.
However, you will still need a password to access your password manager which, as aforementioned, needs to be complex, individual and kept securely otherwise you’ll be literally giving the key to your treasure chest to a cyber-criminal.
We would suggest you use multi-factor authentication to access any password manager. In addition, as a belt and braces strategy, don’t save your whole password in the password manager. Leave, say, the first two characters at the start of the password missing. Therefore, if the password manager account is compromised from the manager (yes, this does happen unfortunately, through no fault of the user), then it’s still not useful on its own. For example:
Password saved in manager = EggHammerChicken2!
Actual Password = E!EggHammerChicken2!
4. Protect your devices
It is good practice for businesses to ensure that any devices containing sensitive information are password/pin/thumb print enabled – that includes company mobile phones and laptops.
This makes accessing these devices more difficult should a thief get their hands on it. We offer stolen device testing as a service to ensure your organisation’s data is as secure as possible should a theft occur.
5. Stolen credential monitoring
Passwords are often stolen and leaked/sold by hackers, this maybe from local malware or a global breach from an organisation similar to Facebook and LinkedIn. Even if its just one password leaked, it may leave you open to compromise for example the leaked Solarwinds password “solarwinds123” which impacted 18,000 high profile clients including Microsoft, Boeing and US government agencies.
Credential monitoring informs users when their details are for sale and available for cyber criminals to purchase via the Dark Web and other sources.
A scary fact is that information like usernames and passwords for accessing systems are found for over 25% of organisations.
Our Credential Monitoring service searches over 64,000, locations mostly on the Dark Web, to check for mentions of your organisation including your domain, email, company name etc. We monitor many platforms and forums including hidden chat rooms, IRC (Internet Relay Chat) channels, social media platforms, botnets, Dark Web auction sites and more, providing you with the intel to update your passwords.
We shouldn’t need a ‘day’ to remind us how important passwords are and obviously there is no absolutes in cyber security – nothing can ever be 100% secure. However, risks can be mitigated and managed and cyber criminal’s lives made more difficult. It’s always good to get a helpful reminder once in a while to bring password security to the forefront of our minds.
If you would like to chat through any concerns or company-wide protocols, device testing, MFA, security software, support and implementation, please do get in touch.