There is an old IT joke about treating your passwords like your underwear – change them often, don’t leave them lying around and don’t share them. While that is good advice, is it still valid in 2018?
Given the rise in cyber threats and the sheer volume of emails sent everyday designed to trick you out of your email address and password, you need to know what is good advice and what is bad advice in this critical area.
So how relevant are those three simple guidelines?
Having different unique passwords, with each one used solely for each particular web site, provides many times more protection than a constantly changing, but easier to guess password. If an attacker fails with a password of Petname15, guessing Petname16 isn’t much of a leap.
Threats to your account are more likely to be attempted from outside your work environment. But still, never write your password down. Ever. All it takes is for a disgruntled employee to see your password and act on it out of hours, or to tell it to someone else outside the workplace for them to act on it.
This is key in the battle to stay safe online. Using one or two passwords for all your online services leaves you terribly exposed. If one of your providers gets hacked (let’s say Facebook), and you’ve re-used that password all over the web, the attackers will then know your Twitter password, your LinkedIn password, your Instagram password etc.
Each log in attempt must be accompanied by a response from you on a different device, usually your mobile phone. You need to approve the log in. If you get notification of a log in attempt that wasn’t you, don’t authenticate it. The attacker cannot then access your account even with the correct password.
Having a unique password for each and every on-line service makes things many times more secure. If one provider gets hacked, you only need to change one password, and they can’t use that cracked password elsewhere. That causes another issue though, how do you remember all your different passwords?
If an attacker has obtained information about you and your family though a technique called social engineering (from such things as your social media posts, for example) they are more likely to try those words and names in a password attack.
By this we mean a password that is difficult guess by brute force. A brute force attack is when a computer uses a dictionary and some clever programming to generate passwords. If you obfuscate your password by making letter substitutions such as changing an S to a $ it won’t make any difference to the cracking program because they know all the common substitutions (3 for E and 4 for A, and so on). It adds nothing in terms of protection.
Which of the following passwords do you think would be more secure?
• Password
• X195jH&fX2
• red.fish.balloon
Compare the difficulty in remembering the password with the time required to hack it, using a service such as https://howsecureismypassword.net/
Click the following plus symbols to reveal how secure each of the passwords is...
Make sure to have a password or other security measure on all of the devices you use to access services and your data. This includes mobile phones, tablets, laptops, desktop PCs, and more advanced book readers. If any of your devices are open to anyone to use you are effectively doing the same as leaving your car unlocked. Making all your devices difficult to access is a fundamental requirement (especially if you have a password manager application installed). Remember to set up remote access wipe facilities within your account settings too.
Contact us today if you want some expert guidance on introducing an effective password policy within your business.