Weak passwords and multiple uses of the same password across many platforms and websites are wreaking havoc on our daily lives.
You’ve probably heard it before, but for passwords to be effective and secure as they were initially thought to be, we need to adopt a stronger password policy.
Too often we see businesses and in some cases individuals using lazy passwords such as password, pa55w0rd, chang3m3 for users to access their systems. While we understand easy to remember passwords are favoured by the individual, it allows hackers to guess your password much more quickly.
Why do you have a password
Firstly, to help you understand the severity of the situation, ask yourself why do we have passwords in the first place? Then think about your own passwords.
If you enter your password to access your online banking, email account, energy supplier etc. how would you feel if other people could log in and access/view that information too? A password is there for a reason to prevent unauthorised access to privileged and confidential information.
Using an easy to guess password puts you at far higher risk than someone with a more complex password.
How do hackers gain access to your account?
Before discussing how to create a strong password, we should explain how a hacker gains access to your account. There are many ways of doing this which we mention below. Please note this list is not exhaustive, and there are many other ways.
- You’ve used a password before on another website or system that has been compromised.
- An employee at a company with access to your information may have stolen it from their employer.
- You’ve clicked an email or link you thought was legitimate and some third-party virus has captured the information you’ve entered.
- You’ve written down your password and left it in an easy to find place.
- You’ve never changed your password since it was issued to you.
- Your password/account details have been sent to you and the mail was intercepted before you received it.
- You’ve disclosed too much information on social media such as your full name, address, date of birth, family members, and all other private information a hacker needs to reset your credentials for a system.
- The password you used is easy to guess from public knowledge such as the name of your dog!
- Your password is easy to brute force for example if your password is Password173 it could only take 173 attempts to guess.
Other examples of how passwords are cracked are shown in the infographic below produced by The National Cyber Security Centre.
But more importantly, how do you think the hacker gets access to these systems with the right credentials? In simple terms easily, but not so easy that the hacker does all the work themselves. They typically enlist in a piece of software that allows them to enter credentials they’ve acquired or bought online on the dark web, and the system tries various websites with the credentials it has. The software will do all the heavy lifting attempting to log into systems all day every day until it finds a successful login.
Handy tips to create a strong password
To help you understand why you should create a strong password, we’ve outlined some tips below to think about.
- Consider length and special characters. Typically we advise that passwords should be more than eight characters long, a combination of upper and lowercase letters, and symbols such as $, %, !, @, £. This makes your password much harder for hackers using brute-force attacks to gain access.
- Avoid using passwords associated with your daily life that someone close to you (or not) could easily guess. For example, don’t use your child’s name, date of birth, car registration number, favourite places. Basically, don’t use anything that could be associated to you. Remember: a hacker can quite easily obtain a lot of personal information about your life without you even realising it. If you use social media, then this is one of the easiest methods for them with social engineering tactics. If you do use social media ensure sure you review your privacy settings and avoid listing significant dates, where you live and when and where you will be going on holiday.
- Don’t write them down. Avoid writing down your password. If you do, don’t write down the full password but use prompts to help you remember and certainly don’t list the website or platform the password is for. Using a password manager can really help you here.
- Don’t use the same password more than once.
- Change your passwords frequently.
- Don’t store payment details in your online account. If you purchase goods or services online, you may have noticed that some sites ask you if you would like to save your payment details for the next time you make a purchase. If you do this and someone gains access to your password, you are giving them access to complete purchases on your credit/debit card.
- Don’t share passwords with other people.
- Check before you log in. Received an email prompting you to log in to online banking, PayPal or any other platform to check something? Go directly to Google and visit the website address directly. Pay particular attention to the website address and make sure you have the padlock before submitting information. Spoofed websites can steal your passwords that you enter when you attempt to log in.
Also, think about the following whenever you are about to log into an account: –
- Internet access. Where are you accessing the Internet from? If you are using a public wi-fi service similar to those in coffee shops, hotels and airports etc. be aware these are not secure networks. For example, if you are logging into your online banking on public wi-fi, a hacker could be listening in on the data you send from your device and the web server to intercept your confidential information.
- Shared computers. Never save your login details on a public or shared computer. If you do, other users can quickly login with your credentials. Remember to always log out of systems you have logged in to.
- Who’s looking over your shoulder. Be mindful of where you are and your surroundings when logging in to systems such as online banking.
More than a strong password
There is an extra layer of security that you can deploy to make sure that you and only you can access your accounts. Two Factor Authentication or 2FA is becoming more common and in some cases mandatory. If you do online banking, you’ve probably noticed that not only do you need a password, but you need to enter a One Time Passcode (OTP) that expires within a set time frame. This is an additional precaution that gives an extra layer of security should someone have access to your password, they can’t process to the next stage without having the secondary security code. The security code is either pushed to a mobile device, text message or email.
Find out more
If you’d like to find out more about securing your business accounts and applications, contact MMRIT. We carry out a range of cyber security assessments to determine where your weakness are and how you can improve overall security.