Password Hygiene and Security
Many of our daily activities have moved to the internet such as reading our mail, banking, watching movies, and shopping.
But what do all of these activities have in common?
If you guessed passwords, than you are absolutely correct!
All these accounts we set up require passwords and too often we take shortcuts like re-using passwords or using weak passwords to avoid having to remember multiple, complex passwords. On average, users create 150 password-protected accounts and many users reuse the same password across all accounts – with one study showing that 73% of all passwords are duplicates! This is not a security best practice, especially if you are inputting personal information on these sites. Most of us know better, but if we’re being honest most of us know we’re also guilty of this security sin. If you’ve ever availed yourself of Google’s password cleanup tool or searched yourself on sites like Have I Been Pwned—or read the news for that matter—you know that the number of sites and services that have been breached and the number of credentials that have been stolen and added to lists sold to scammers and other criminals on the dark web is truly staggering. Chances are good that every one of us has an account for a site or service that has leaked passwords and our names have shown up on one of these lists. For this reason, you need to observe good password hygiene for all of your accounts and there are a number of steps you can take that are easier today than ever—no excuses!
First things first: create a strong password
As mentioned, many of us like to use simple, easy to remember passwords and we likely never change them, because how inconvenient! We also tend to reuse our passwords, or variations of the same password for every account. Unfortunately, this can make you, your credentials, and your personal information highly vulnerable to attackers.
Here are a few do’s and don’ts to creating a strong password:
- Do use at least 10-12 characters (the more the better)
- Do use a variety of upper and lower-case alpha characters
- Do use at least one number
- Do use at least one special character
- Do use a unique password for every account and device
- Don’t use common knowledge in your passwords such as your name, birthday, phone number, your pet’s name, etc.
- Don’t use common words or phrases
- Don’t use keyboard patterns such as “qwerty”
- Don’t use a password that is too short
- Don’t use a common word spelled backwards
If you follow these basic rules to create a strong password, it should be fairly difficult to steal. However, there are some sneaky tactics attackers use to get your passwords that you should always be aware of. So what are they?
Credential stuffing: credential stuffing offers when a company has had a breach and credentials of the users have been stolen. Attackers will use the stolen credentials from that particular account against a users other accounts – hoping to find that the passwords are the same and they can gain access.
Phishing: we’ve touched on phishing a few times this month but due to the high risk of phishing attacks, its very important to be educated on how a phishing attempt can affect the security of your credentials. Often times, attackers will collect your credentials through a phishing attack by simply asking for your username and password for an account, sometimes under the guise that there is a problem with the account. They may also create a login page for you to “login” to your account to collect a prize or deal with an issue.
Password spraying: password spraying is the use of a list of common passwords randomly against a list of usernames. Often times, users are inclined to create passwords that are fairly easy to remember, because most users don’t think they will become a target. However, using a common password such as “123abc” puts you at risk of being victim to password spraying.
Brute Force: brute force is when an attacker “cracks” the user’s credentials. This can be done through the use of a program that runs thousands of passwords (or plain dictionary words) very quickly against the username. This is where password complexity comes into play in making it as hard as possible to crack.
So how do we keep ourselves safe from these attacks?
Always have unique passwords: as we’ve mentioned, your passwords should always be unique for every account and each should have the password criteria we’ve outlined to help keep them out of the hands of attackers. Having a unique password can help protect against common password hacking tactics like credential stuffing and password spraying.
Never give out your credentials via email: phishing attempts may ask you for your password and username because something is “wrong” with your account or they may offer you a prize that requires you to login by clicking a link, however, there will likely never be a legitimate time when you are asked to provide this information over email. Don’t give up your credentials no matter how dire or exciting the situation may seem. If you see an email from a company that you hold an account with and they are asking for this information, always call the organization directly instead.
Use Multi-factor authentication whenever possible: multi-factor authentication is a method that requires the user to provide two or more verification factors to login to your account. Typically, your first verification method is your password and the second method could be a personal security question, a code sent by text message, or even a fingerprint. Having multi-factor authentication can help keep you safe from many of the common attacks mentioned as just acquiring your password won’t be enough for them to get to into your account. Not every account will give you the option for multi-factor authentication, but more and more these days this option is provided, especially for sensitive accounts. Turn it on!
Change passwords regularly: changing your password every few months will help protect you if your password does in fact get compromised. Of course, if you have been notified that one of your passwords has knowingly been compromised, make sure to change it right away. However, if you have been notified via email that your password has been compromised, go directly to the site – do not click on the links in the email or login through the email as this may be a phishing attempt. For many people, this can seem like an onerous task, especially considering how many accounts we all have. This leads us to our final recommendation.
Use a password manager!
Tend to forget all these unique, complex passwords? (That you’ve definitely gone and created after reading this right?) Don’t have time to change your passwords regularly? Use a password manager! There are free to use password managers out there that you can install right into your browser to help you keep your passwords in check, such as LastPass, or, your workplace may provide a password manager software for you to use. You only need to remember one password to login into your password manager that will store all your other passwords for you. Setting up and learning to use a password manager is made extremely easy and in most cases is a very good option to achieve many of the good password hygiene factors we’ve discussed all at once. But wait! “By using a password manager am I theoretically creating a single point of failure to gain access to ALL of my passwords??” you ask. In the end, the benefits of using a password manager far outweigh the potential risk given the controls that password managers put in place, such as MFA and location/device contextualized validation. So long as you’re using these features as intended and not making yourself the true single point of failure by making the mistakes we’ve discussed above, this is a very strong option.
How do I know if my passwords are compromised?
Want to know if any of your accounts have been compromised of shown up on known lists of stolen credentials? There are a variety of options such as https://haveibeenpwned.com/ that might be eye opening for many users. Simply enter your email address you use to login to your accounts and the site will tell if you if any of your passwords associated with that email have been compromised.
If you have any other questions on how you can stay safe online, don’t hesitate to reach out to us at firstname.lastname@example.org.
Don’t forget, our weekly quiz will be posted on LinkedIn on Friday! The quiz will cover the blogs this week on Human Disadvantage and Security.
In honour of Cyber Security Awareness Month, we will be sharing insight on the latest cybersecurity news, tips from Secure Sense experts and general security knowledge geared towards keeping you out of the headlines and focused on what matters most, your business. Don’t miss a beat by following along on our Twitter, Facebook and LinkedIn Pages.
Read more about password hygiene at the blog:
Secure Sense is the security provider that cares. We are a team of experts with a passion for IT and protecting your organization is what motivates us daily. If you have questions or want to learn more about how we can improve your organization’s security, our services or just want to chat security please give us a shout.