We have produced articles in the past regarding passwords here and here and while the information contained in them is still perfectly valid, timely reminders are needed to maintain the safety-first approach we recommend.
This guide has been produced to supplement our previous articles and to set out solid advice we can all follow as we look forward to 2020.
We have spoken about the haveibeenpwned website previously. This is a great site to check if your details have previously been involved in a breach. Head over there now and enter your email address to see if you need to move onto step 2.
If, like Bill in the example above, your email address and a password have been previously compromised you’ll be told which site has had the breach. If you haven’t already changed that password on that site, you should do so immediately. And everywhere else you have used that email and password combination. Of course, you shouldn’t use the same password on multiple sites. If that email and password combination are revealed by a breach on one site, all of your other sites that use that email and password to authenticate will be compromised. Ok, you’re going to change your password. But what should you change it to?
Earlier this year The National Cyber Security Centre (NCSC) and HaveIBeenPwned jointly released a list of the top 100,000 compromised passwords - so it would make sense to not use one of them!
Our advice for passwords has long been three.random.words separated with full-stops or other punctuation - very easy to remember and very time consuming for a computer to brute force crack. Even “three.random.words” itself is very secure (but don’t all please use it)!
You can check the integrity of any password you want to use via the Password Check page at the experte site, as per below:-
When setting up a new password do not use children’s names, spouse names, pet names, football teams, or any other information that has a connection or meaning to you. Keeping your words completely random is the securest method.
What we mean by this is don’t have the same password to access your different accounts. Always have a unique password for each site or service you log in to. Keeping track of a lot of unique passwords can prove difficult but thankfully there are password managers out there to keep this nice and simple. Some popular options are Zoho, Dashlane and my personal favourite, LastPass. I have LastPass set up on my phone and on my PC, meaning I never need to remember or type a password – the program does it for me! You don’t need to worry about the password manager being hacked because the passwords are stored in an encrypted fashion that requires information from your PC to decrypt them. So even if the encrypted passwords were stolen from the password manager company, the bad guys can’t decrypt them. In daily use, when you need to use a password, the encrypted password is sent to your browser or phone, and decrypted locally using private keys that are never transmitted elsewhere.
Remember it may not be your fault that your password is compromised, if the service or site you use has a breach (and who hasn’t had a breach recently) then your email address and password combination are either freely available on the dark web, or being sold for fractions of a penny.
Two factor / multi-factor authentication is a security mechanism that asks you to confirm a successful log in on a device, usually via an alert that is sent to your mobile phone. What this means is that if a hacker gets hold of your email address and password and tries to access your email account they can’t – because you have to authorise the log on via your phone, as shown below:
The hacker can still access the account where the compromise happened and will be able to do so until you change your password. It is common practise for these known email address/password combinations to be tried on other services (online banking, PayPal and social media accounts for example) so having a unique email address and password combination in conjunction with 2FA / MFA is nothing other than common sense.
If you would like more information about good password policies or help with setting up 2FA / MFA at your workplace, please speak to your usual contact at Pro-Networks – we would be delighted to help!