- By SBRC Ethical Hacker Paul.
Take a moment to consider the device you are reading this on, whether it be a phone, laptop, or desktop. Is this a work or personal device; what information or personal details are stored on it? Would you want just anyone to be able to access and view that data?
The answer is probably no, right?
Strong passwords are an important step in our quest for safe online practice but often we undermine them. We make them very easy to remember, we want them quick to type, we include personal information like birthdays which are easy to look up on social media.
We also reuse them across multiple services and websites. All of this leads to poor password security because the passwords are short, and easy to brute force – a hacking technique where a computer randomly guesses thousands of passwords a second until it finds the correct one.
Reusing passwords for multiple accounts puts them at greater risk of being breached as attackers are likely to try the same email/password combination on multiple mainstream sites, such as Facebook, Twitter, LinkedIn, etc.
So how do we improve our security without making things difficult for our staff? Well, there are a few things we can do:
- Don’t enforce regular password changes. This may sound counter-intuitive at first, but it has been shown to only frustrate users and often only minor changes are made anyway e.g. password1 will be changed to password2.
- Make Two-Factor Authentication (2FA) part of your login process. This free security feature adds another layer of protection as users will be prompted to input a code sent via SMS, Email, or an Authenticator App whenever they login; because a hacker might guess your password, but they won’t have your phone.
- Check passwords against lists of common or breached passwords as these are the first things that hackers will try. You can check passwords against the https://haveibeenpwned.com/Passwords utility which will tell you if it has been seen in any breaches.
- Use different passwords for ALL accounts, especially between business and personal
Another key consideration is education; help communicate best password practice to staff. Whilst complexity used to be emphasised in making a password, it is now length that is considered to be much more important. The NCSC recommends the use of passwords comprised of three individual words such as “GoldilocksBearPorridge”.
These are also known as passphrases, which can be made up with any number of words strung together. They are strong because they have length but are also easier to remember than a complicated jumble of letters and numbers.
Encouraging the use of password managers can also be extremely beneficial. These are services that store passwords in a secure database that can only be accessed via a single master password.
Password managers will normally come with a phone application or browser extension, allowing you to access your passwords wherever you go.
A great benefit is that they allow for the generation and use of extremely long, and complex passwords that would be impossible for a hacker, or even supercomputer, to guess. The best part? They remember these passwords so that you don’t have to. Except the master one, of course!