Why is password security so important?
If you’re anything like most people, you have more passwords than you know what to do with. If you have an email, Facebook, LinkedIn, Twitter, plus logins to any online shopping sites, your router, other social media, or online banking, you’re well on your way to having more online accounts than you can possibly remember passwords for.
According to a 2014 study by the U.S. Department of Commerce, “On average, DOC employees had nine accounts at work that require logins”. Perhaps nine seems manageable enough, but as time goes on and more facets of our day-to-day lives become digital, that number is only increasing. It’s safe to say that passwords are — or definitely should be — a growing concern.
Remembering them all can seem like a Herculean task, but as passwords are often the only thing standing between your private information and the prying eyes of others, they’re undoubtedly important. And if you use the same password for more than one account, and just one of them is compromised, you are at risk.
SplashData’s list of the worst passwords by year. Image source: Wikipedia
Password security guidelines
When it comes to beefing up your password security, there are some important guidelines you should follow:
Use at least 8 characters in every password, and ideally more. With passwords, size does matter! For reference, the NIST recommends that organisations give a maximum password length of 64 characters — the longer your password is, the harder it is to break or guess, and even adding one or two extra characters can help to keep it secure.
Don’t just make your password long, but make it complex aswell. Rather than opting for the password “111111111111” — which may be long, but isn’t very secure — try going for an unusual catchphrase or memorable (but little-known) quote. “Working9to5” is much more difficult to guess than “football”.
Check your passwords against lists of known bad password options, and avoid those at all costs. Examples of well-known bad options include “thisisapassword” and “changeme”. These choices are a lot more popular than you’d think, and they’re very easy for a would-be hacker to guess.
Make your password for each account different. Reusing passwords may seem like a good idea, but it’s a huge security risk: if you use the same password repeatedly and someone works it out once, all of your accounts will be compromised.
It may sound counter-intuitive, but don’t change your passwords too often. Obviously, if you think your security may be compromised you should update things, but otherwise, it’s better to create a solid and memorable password that you keep for a long time than it is to add a different digit to a weak password every month.
Test out how long your passwords would currently take to be hacked here: https://howsecureismypassword.net/
Our explainer video here highlights how to create secure passwords… A good password is hard for other people to guess, but easy for you to remember!
When looking at strengthening your password security, two-factor authentication (2FA) can be an excellent tool, and more organisations are now requiring it for all their accounts. But what is it, and how do you effectively use it?
Two-factor (or multi-factor) authentication, much like its name suggests, is when two separate hurdles must be cleared in order to access an account. For example, if you set up an online account and have to provide your mobile phone number so the site can send you a code via text message. This code and your password are the two factors required to gain access. Two-factor authentication typically requires you to provide something you know, and something you have.
An example of two-factor authentication that almost everyone is familiar with is used when we’re attempting to access a bank account via ATM. There are two requirements for access: your bank card (something you have), and your PIN (something you know). Having only one of these will not allow access, and by requiring both, it makes it much more difficult for thieves to access your account.
Two-factor authentication reduces risk, but unfortunately it doesn’t eliminate it. The text messages with codes can be intercepted, and techniques such as phishing and malware can still be used to bypass a two-step login process. However, if you have the option, two-factor authentication is a useful way to beef up your online security.
There are useful tools that provide you with a list of 2FA enabled websites. Always check with sites that will hold your sensitive information if they provide two factor authentication.
KeePass password generation options. Image source: KeePass.info
What about password managers?
When talking about password security, it would be remiss not to mention password managers — or, as they’re otherwise known, password keepers or password safes.
Many operating systems and browsers now come with built-in password managers, and there are also cloud-based options or local programs available to download. The way they work is quite simple: you create a “master password” which is used to manage all other passwords. When creating a new account, you can generate a random string of numbers, letters and symbols which you don’t have to memorise as long as you have your master password. This allows you to use a unique, high-strength password for every new online account.
There are a few important things to bear in mind when considering using a password manager however: the master password you use should be something you won’t forget, so you don’t lose access to all your other passwords; it should also be extremely secure, as using a weak password to protect all others sort of defeats the purpose
Some well-known examples of password managers include 1Password, LastPass and DashLane for passwords which are stored in the cloud. Roboform, PasswordSafe and KeePass are examples of local programs. Some people have concerns about storing password information in the cloud, which is something to keep in mind.
Password managers can be invaluable tools when it comes to password security, but there are possible issues with using them. A well-known example is LastPass, which had a “major architectural problem” that was discovered by a Google security researcher. It’s a worrying example — however LastPass did fix the issue quickly and communicate openly with its users, which may help mitigate concerns. There are also security concerns regarding browser-based password managers, as these run a greater risk of being compromised by dodgy websites and malware.
When considering a password manager, always check reviews and the company’s background and track record before committing. But if you do your due diligence, password managers can be another form of protection against lax password security.
Having robust password security is just as important as guarding the combination to a safe. Don’t leave yourself defenseless. Here at GoldPhish, we believe that online security should be accessible and easy for everyone by providing training, education and solutions that dynamically adapt with the on-going change. Keep up with our future blog posts for more information and useful tips; for now, if you have any questions or comments, leave us a comment below.