After receiving phenomenal positive feedback at our previous live cyber exercising workshops in Edinburgh and Aberdeen, the Scottish Business Resilience Centre organised another Exercise in…
Ethical Hacker, Paul Crone shares his expertise on creating strong passwords to beat the hackers!
Take a moment to consider the device you are reading this on, whether it is a phone, laptop, or desktop. Is it a work or personal device? What information or personal details are stored on the device? Would you want just anyone to be able to access and view that data?
The answer is probably no, right?
Strong passwords are an important step in our quest for online safety and we often undermine them. We make them very easy to remember, we want them quick to type, and we include personal information like birthdays which are easy to look up on social media.
We also reuse them across multiple services and websites. This all leads to poor password security because the passwords are short and easy to brute force (a hacking technique where a computer randomly guesses thousands of passwords a second until it finds the correct one.)
Reusing passwords for multiple accounts puts them at greater risk of being breached as attackers are likely to try the same email/password combination on multiple mainstream sites, such as Facebook, Twitter, LinkedIn, etc.
How can you improve security without making things difficult for staff? There are a few things you can do:
- Don’t enforce regular password changes. This may sound counter-intuitive, but it has been shown to only frustrate users and often only minor changes are made anyway e.g. password1 will be changed to password2.
- Make Two-Factor Authentication (2FA) a part of your login process. This free security feature adds another layer of protection as users will be prompted to input a code sent via SMS, Email, or an Authenticator App whenever they log in. A hacker might guess your password, but they won’t have your phone!
- Check your passwords against lists of common or breached passwords as these are the first things that hackers will try. You can check passwords against the ‘Have I Been Pwned’ website which lets you know if the password you are using has been in any cyber breaches.
- Use different passwords for ALL accounts, especially between business and personal.
Another consideration is staff education on password security and perhaps implementing a password policy to ensure employees use strong passwords. The NCSC recommends combining three random words to create a password which is ‘long enough and strong enough’ i.e. FishEarphonesMug.
Watch the following short video where Ethical Hacker, Finlay shares his top tips for good password security:
Using Password Managers
A password manager is another great addition to your cyber security toolkit. They generate long and complex passwords that would be impossible for a hacker or even supercomputer to guess and they remember these passwords so that you don’t have to, except the master one of course!
Password managers normally come with a phone application or browser extension, allowing you to access your passwords wherever you go.
In this video, Ethical Hacker, Allena explains the benefits of using Password Manager’s: