Password security is an age-old problem in today’s online world. However as we continue to see more and more cyber incidents and mega breaches in the news, its relevance is more significant than ever.
This article offers some practical insights and advice for how you can better manage your passwords. Ultimately the intent is to help you understand how to best manage your passwords, so that all of your online accounts are secure from a potential compromise by cyber criminals.
Common password security challenges
The problem is this – how do you ensure that all of the dozens of passwords you use to access online services are secure, and hard for cyber criminals to guess, whilst remembering them all? Let’s have a look at the various ways people try to solve this problem, and the various pitfalls, insights and tips…
Do you re-use your passwords?
You’d be surprised how many people try and solve this password memory challenge by re-using the same (hopefully strong) password across multiple sites or services. If you are someone who reuses the same password across multiple online sites and services – you are unfortunately an easy target for hackers no matter how strong your password is.
All the bad guys have to do is re-use your compromised credentials available on the dark net from previous breaches such as LinkedIn, Dropbox, Yahoo etc on other popular sites such as iCloud, Google, Yahoo, Outlook etc, and before you know it they then have access to more of your accounts, which they can use to reset the passwords on other services. That’s assuming that you haven’t set up multi-factor protection on your important accounts.
The hackers then pillage through your accounts to find any useful documents or images such as personal documents, bills, financial statements, scans of passports, driving licenses etc. In some cases, they then use this information to perform an identity take-over, such as opening new businesses, new bank accounts or applying for loans etc.
In other more extreme cases they might try to misuse your compromised email account and send phishing emails from you to your contacts in the hope that they might give up their user credentials too….
Scary stuff, but unfortunately you’d be surprised how often these sort of events do actually happen.
Do you store your passwords in a spreadsheet or file on a computer?
This approach is also problematic. If your computer is infected with malware or otherwise compromised, it’s possible for this information to be extracted and provided to cyber-criminals – giving them access to everything… and yes those password protected spreadsheets or office files are also very easy to crack if the password is weak (less than 12 characters).
There’s lots of utilities that guess the password available on hacker forums on the dark net.
Do you write your passwords on a piece of paper?
Some people do… it’s not an absolutely terrible solution; but that really depends entirely on how securely that piece of paper is stored and managed.
Password Reset Pitfalls
Whilst we’re on the subject of passwords, it’s also really important to appreciate that certain online accounts create a particularly significant security risk if they are compromised.
For example, most websites offer the ability to reset your password in case you have forgotten it -by sending an email message with a new password or a link to a site where a new password can be obtained or set to your email account. So if your email account a.k.a. your “crown jewels” has already been compromised by cyber criminals, they can access all the messages you receive, and use this to reset the passwords to many of the other online services like your LinkedIn, Facebook, iCloud, PayPal, or bank accounts you use.
So have your credentials already been compromised?
Ok, so enough of the scare walking, now for the talking – and taking action.
If you’re concerned that your online accounts have previously been compromised or your credentials exposed, one way you can easily check this is by entering your email address and / or username for your online accounts on a service called “haveibeenpwned”. Available at http://www.haveibeenpwned.com/, this service maintains a database of user accounts that have been compromised in data breaches. The AMP Cyber Security team often talk about this service – as it’s a really effective way to quickly check if your credentials are potentially in the hands of hackers or cyber attackers. You can check to see what passwords have been exposed too!
So let’s talk about ‘strong’ passwordsThe majority of websites you visit will recommend that you use a ‘strong’ password to minimise the chance of compromise by cyber criminals. This is to ensure that your password can’t simply be guessed or broken by automated software programs (referred to as ‘bruteforce attacks’ by us security geeks). To minimise the possibility of your online accounts being compromised, a strong password typically needs to be at least 20 characters in length, and ideally use a combination of numbers, letters and special characters. Like this:a8*jJpw$e49J^ge%27d!If you’re having trouble generating one, here’s a useful link: https://passwordsgenerator.net/https://strongpasswordgenerator.com/
But as previously mentioned, the problem is that it’s not exactly memorable…Multiply that by 10, 20 or 50 online systems, and you’ve got a bit of a challenge remembering them all. All of my passwords are 25 or more characters long, and are mostly a mix of random numeric, alphanumeric, upper case, lower case and are super complex passwords. So how on earth do I remember them all?Simple… my secret is that I use a password manager on all of my devices, which is secured with multi-factor-auth, otherwise known as “MFA” or “two step” which is covered in more detail in another recent cyber security matters article. So let’s explain how password managers work, and how you combine it with an MFA to protect your accounts…
Using a password manager to store your passwords securely
Password managers store passwords securely, and as mentioned above allow you to additionally protect your passwords using Multi Factor Auth (MFA). They also generate very strong long passwords for you.
They’re super convenient to use, and basically log you in automatically to any online account you’ve set up for access so that you don’t have to remember or type in your complex passwords. So as an example, once initially set up and configured, you simply have to enter your password manager “master” password, and then complete a multi-factor challenge using an authenticator app on your phone (using your thumb print to authenticate), and the password manager does the rest for the day… All of your strong super complex and long passwords are entered automatically for you.
So what if the password manager password is compromised?
This is one of the most common questions people ask when learning about password managers. That’s the whole point of setting up your password manager with MFA – so that you have an extra layer of protection. Combining a password manager with two factor is the best way to secure all of your accounts. So even if someone has your password manager password or your password manager account is compromised, they can’t beat your MFA and your account is still protected, and inaccessible to them.
Choosing a Password Manager
There are a variety of password management solutions out there, and many of them offer a version of their software at no or little cost.The solution you choose will ultimately depend on your individual needs, and how you choose to balance convenience with security.
Examples of password management solutions available online include LastPass, Dashlane, and a range of other. View this review for more details on the various solutions out there.
The best password managers typically work across all of your personal computers, mobile devices, and browsers. They offer a variety of two-factor authentication options so you can ensure no one else can log into your password vault, even if they did somehow get hold of your master password, plus have features like complex password generators, and password strength reviews / reports.
Do you store your passwords in your browser?
While web browsers like Safari, Chrome, Firefox, Internet Explorer, and others all have integrated password managers, these are not recommended. Some of these do not help you generate secure passwords, and are considered susceptible where hackers can use tools to obtain all of your passwords stored in your browser.
So in summary, there’s three very important considerations to be aware of from a password management perspective:
1. Don’t ever use the same password across multiple websites or services. It might be convenient for you, but makes it even more convenient for a hacker or cyber attacker to gain access to your accounts. Consider using a password manager to help you do this.
2. Don’t store your passwords in plain-text on your computer (or elsewhere in the ‘cloud’ like in your email account). Us hackers & computer buffs can get to them pretty easily. Use a password manager.
3. Don’t use an easy to guess password or a dictionary based word e.g. P@ssw0rd, Password123 or Monday123, because it doesn’t take long for automated hacking tools to crack it!
Use a password manager to create long and strong complex passwords.