TOO MANY PASSWORDS?

As everybody knows, strong passwords are the key to your online security. The downside is that you need to create strong passwords that you can remember, without reusing the same password for all your accounts (it happens!) and similar sins. Question: how many passwords can you actually remember? A recent survey suggested that if the average citizen had a unique password for every account, from on-line banking to Amazon, they could easily have to remember 85 passwords. If you work in Information & Communications Technology (ICT), that could rise to 400 or more.

Weak passwords are nearly as bad as no password because they can lull you into a false sense of security, and reusing the same password can have serious consequences, even if the password itself is secure. The report mentioned above also stated that, since 2017, hackers had published 555,700,000 stolen passwords on the dark web (the part of the World Wide Web that cannot be accessed without special software, allowing users and website operators to remain anonymous or untraceable) to help criminals to crack into your accounts.

Password security cannot completely guarantee that your data will not be exposed, but best practices can minimise your risk if it is. So here are a few ideas about how to create and manage the best passwords, how to find out if they have been stolen, and a general tip to make your accounts even more secure.

Password managers

You might decide to use a password manager to keep track of your passwords. A strong password will be longer than eight characters and will contain a mixture of letters (upper-case and lower-case), numerals and some of the special symbols on your keyboard. The downside is that the most secure passwords are also the most difficult to remember, which is where a password manager can come in useful. There are trusted password manager applications such as 1Passwordor LastPass which can create and store secure (i.e. lengthy) passwords for you. They work across your desktop, tablet and phone.

You have to memorise a single master password that unlocks all your other passwords, so this needs to be as strong as it can be. Browsers like Google’s Chrome come with password managers. However, there are some concerns about how browsers secure the passwords they store. If an intruder discovers the master password to your password manager, then they automatically have access to all of your passwords, so I would recommend using a specialist dedicated application instead.

With such a precious prize inside, password managers are an obvious target for hackers. Password managers are not perfect; in the final analysis, they are computer programs, and there is always the fear that one day a hacker will find an unsuspected flaw and get through.

Noting your credentials

For more years than I care to remember, I have been telling people NOT to write their passwords down. However, in the last couple of years, security gurus have been suggesting that, under certain circumstances and with appropriate precautions, keeping your login information on a physical sheet of paper or in a notebook is an acceptable way to keep track of your credentials. They are talking about real physical paper, not an electronic document like a Word file or Excel spreadsheet because anyone who gains access to your computer or online accounts will also gain access to that electronic password file.

Some years ago, one of our clients carried out quite a brutal redundancy exercise. One disgruntled employee found himself alone in the eighth-floor executive suite and noticed that the chairman had written his user-id and password on a sticky note and stuck it to his PC. The vengeful employee sat down, logged on to the chairman’s email and sent redundancy notices to the entire Board of Directors. So we do NOT mean that kind of written record. At work or home, keep this sheet of paper in a safe place (preferably with a lock on it) and out of sight. Do not let people know where your passwords are, especially to your bank and other financial sites. An ideal number is “one” – you! If you use a notebook to record your credentials, do NOT buy one that has “Passwords” or “Logon Information” on the cover. That is advertising for trouble. Carrying your password notebook with you is a risk because you are more likely to misplace it.

Have your passwords been stolen

Let us assume that the worst has happened. Somehow your password has leaked out. It may not be obvious; however, you can check at any time for signs that your accounts have been compromised.

Using apps like Google’s Password Checkup you can find out if your password has been threatened and Have I Been Pwned will show you if your passwords have been exposed i.e. you been hacked. If you have been, immediately change ALL of your passwords and contact your service provider. It is good to be proactive.

Do not make your password too easy to guess

You need to create a password that someone else will not know or be able easily to guess. Hands up anybody who DOESN’T know that they must avoid common words like “password,” phrases like “mypassword” and predictable character sequences like “12345678”, “qwerty” or “thequickbrownfox.” And avoid using your name, nickname, the name of your pet/spouse/partner, your birthday or anniversary, your street name, car registration mark or anything at all that could be discovered from social media, or from overhearing a conversation on a train or in the pub.

Long passwords good; short passwords bad

Most password guidelines start with eight characters as the basis of a strong password; however, longer passwords are better. Hackers can use the power of computers to make “brute force” attacks which aim to crack your password by trying every combination of characters. They will try the most commonly used alphanumeric character combinations first, then work their way through every other combination. If you have a strong password of 12 characters (3 uppercase letters, 4 lowercase letters, 3 special characters, 2 numerals), then the hacker will potentially have to try 475,920,314,814,253,376,475,136 (476 sextillion!) entries which would keep even a Kray supercomputer busy for a very long time.

Some experts recommend using a “passphrase” instead of a password. This can appear in several formats; however, a common one is to create a password from a phrase of three or four random unrelated words such as tomatogreyhoundbuffoon (please do NOT use this passphrase). Hard to crack but not easy to remember.

Do not re-use passwords

Reusing passwords across different accounts is asking for trouble.  If an intruder uncovers your reused password for one account, they automatically gain access to every other account protected by that password. Much the same applies to keeping the core of your password and varying a prefix or suffix. A sequence like: Manchester1990, Manchester1991, MyManchester1992 is fair game for a hacker. Please do NOT do it.

Avoid using stolen passwords

As mentioned above, hackers can use libraries of stolen or otherwise exposed passwords on the dark web in automated attacks called credential stuffing. Once you have created your new password, it would be prudent to log on to Have I Been Pwned and enter the password to see if it has already been the subject of a hack.

Periodically reset your password

Most organisations, including TfWRS, require passwords to be changed every 42, 60 or 90 days depending on the system. The less time you keep using a password, the less time a hacker has to crack it. There is a danger here: constantly changing passwords is a nuisance and it is easy to fall into bad habits, creating easy-to-remember passwords, writing them on sticky notes, or any of the other deadly sins of passwords.

Other precautions

A standard precaution now, and one you would probably use on your on-line bank account, is two-factor authentication (2FA). This demands a second piece of information that only you have before letting you into the application or the service. Using 2FA, even if a hacker has discovered your password, without your trusted device (usually your mobile phone but some systems have a dedicated device rather like a pager) and the verification code sent to that device, they will not be able to access your account.

Usually, these codes arrive in a txt or as a voice message on your landline. This is fine unless a hacker has stolen your phone number and can intercept your verification code. Authentication apps such as authority , Google Authenticator or Microsoft Authenticator allow you to generate and fetch them yourself. Once you are set up, you can register your device or browser to avoid the monotony of having to verify it every time you sign in.

We have all sorts of other verification solutions around at present. My cellphone scans my irises; my laptop checks my fingerprints, my wife’s laptop needs an encoded dongle to be inserted before it will go online. Nevertheless, passwords are going to be with us in the long term, either as the only access control or as part of a more substantial access control solution, so please apply the advice in this blog and keep yourself safe online.