Passwords, a necessary evil in a digital world. The internet is full of advice and guidance, but this can make it very confusing! This guide will share with you best practices and common mistakes to avoid.
- Passwords are critical to securing your business and personal information.
- They are very effective if used correctly.
- There are many types of attacks and threats, not all of them are external.
- You cannot ignore cyber risk, you must at minimum assess it to make an informed decision on your next actions.
Passwords
A secret word, expression or string of characters used to prove a person’s right to access something!
As the world has moved to “online” the requirements for passwords has exploded. Capital letters, numbers, special characters, unable to use a previous password, different lengths, frequency of change … the list goes on.
You all use passwords, they protect everything and anything including email, homes, social media, phones, money, online gaming, the list is endless. Sometimes a single password is the only thing protecting our valuable data. The trouble is that we have some many accounts and passwords it becomes difficult to remember them!
Ultimately, the choice is yours as to which passwords you use and when you use them. Passwords are free, easy and effective to stop someone accessing your personal or business information, IF THEY AE IMPLEMENTED CORRECTLY.
We hope this guide will help you to make choices to help protect your most valuable personal information, and also business information when you’re at work.
Common Mistakes / Trends
Most common passwords are published many times the world over, despite this the trends don’t change much year on year. In 2022 these are the listed top 10;
- 123456
- 123456789
- qwerty
- password
- 12345
- qwerty123
- 1q2w3e
- 12345678
- 111111
- 1234567890
Password re-use; trying to remember passwords can be hard and this leads to many people using the same password on many if not all accounts. Reporting says this is an estimated 68% of us. While this makes it easy to remember, it also makes it easier for the cybercriminal. If they have your password for one account, they can now access all of your accounts!
Using personal information; many passwords include pet names, children’s names, birthdays & dates of birth. Is it not difficult to guess this information or search the internet to get it!
Default passwords; not changing manufacturers device passwords. There are websites that lists these defaults, or worse the default password is easy to guess e.g. admin, password etc.
Letter replacements; swapping letters for special characters and numbers is still very common. Hackers know this is a common practice and will try this.
Passwords from patterns; they can look complex at first glance; but is they are the top row of a keyboard or a sequence of any kind they become easy to predict and break.
Password breaches
There are many ways for cybercriminals to hack the security passwords you took the time to dream up. Here’s a list of a few commonly used techniques to look out for
Dictionary attacks; these are brute force attacks where hackers use programs to scan and test the password against all words in the dictionary to guess the password. The use of different letter, numbers and special characters make the password more secure against these types of attacks.
Password re-use; trying to remember passwords can be hard and this leads to many people (around 68% of us) using the same password on many if not all of their accounts. While this makes it easy to for you to remember, it also makes it easier for the cybercriminal. If they have your password for one account, they can now access all of your accounts!
Using personal information; many passwords include pet names, children’s names, birthdays & dates of birth. Is it not difficult to guess this information or search the internet to get it!
Default passwords; not changing manufacturers device passwords. There are websites that lists these defaults, or worse the default password is easy to guess e.g. admin, password etc.
Letter replacements; swapping letters for special characters and numbers is still very common. Hackers know this is a common practice and will try this.
Passwords from patterns; they can look complex at first glance; but if they are the top row of a keyboard or a sequence of any kind they become easy to predict and break.
- Minimum of 8 characters, longer is better but you need to balance this with remembering it.
- Ensure they are random and have no association to you (no links to family, pets or hobbies)
- Make sure you use different passwords for different accounts
- Make sure they are easy to remember but are hard to guess (four random words is a good strategy e.g. PencilSpatulaGorillaNeptune)
- Don’t write down any password, try and make them easy to remember
- Never tell anyone your password (make sure you are the only one accessing your accounts)
- Make sure your software and devices are kept up to date
- Be vigilant towards other people trying to see your passwords e.g. over your shoulder, recording etc.)
At minimum, you should use different password between;
- Financial (bank, credit cards etc) and websites that hold your financial information
- Business Accounts
- Personal Accounts
The more you use different passwords one password compromise will be limited to just that account!
Password Storage / Tools
Given the guidance to use different passwords for everything so has arisen the need for technology to help keep them secure and remember them! The risk is if you forget the password to access the store you may lose all of your passwords.
There are many options available, some free and some which you need to pay for.
- Internet browser; this is secure if the browsers remains update (security updates applied), and the account has a strong password.
- Smart phone; secure if the operating system updates are applied, and the device has password functionality turned on (PIN – 6 or greater, facial recognition, finger print etc.)
- Application e.g. last pass and pass portal N-able; ensure these are coming from a reputable source
2 Factor (2FA) & Multi Factor Authentication (MFA)
It would be remiss when talking about passwords to not share more information multi factor authentication. It is something that is highly recommended, and makes access by the cybercriminal much more difficult or in some cases impossible.
You may already be using this as many services offer and recommend this such as banking, social media, online shopping.
As we have already talked, a password can be guessed or stolen and once this happens the system, application or website has no way of differentiating between the authorised and unauthorised user.
MFA & 2FA have been developed to an additional identity step prior to granting access to the user.
Most commonly the user will be asked to add a code or password to the system. These are typically generated by the provider e.g. Amazon who SMS or email one-time code or separate application or device generates a code when required. These codes have a one time use and usually an expiry timing.
We hope you have found this guide useful, it is part of a series which can be found on our website at www.net-defence.com. Other guides include; sector cyber specific threats and risk, cyber risk; what can I do about it and Business Continuity & Disaster Recovery.
Our team can be reached on 03300 0241666 or contact@net-defence.co.uk should you have questions or what to better understand what your business needs.