Just a few months ago SecurityMagazine.com published an article that stated that 53% of people admit to reusing their passwords. Even though there is public knowledge that we should not reuse a password, a lot of people still do it. Are all these people ignorant of the risks? Maybe, but I think it is much more likely that the alternative feels complex and a huge undertaking. Why would you change anything if everything still works? If your password-hygiene was that bad, you should have noticed it by now right?
This article is part of a series that describes online security best-practices. This first part will focus on a subject that affects everyone nowadays; password-hygiene. There are a lot of subjects to cover and the articles will get more specific as we go. But before we can take a deep dive into the world of cyber-security, we will need to get through some basics. So if you are not interested in the extremely technical stuff, you are in the right place. Please feel free to share this article with anyone who could use it and without further ado, let’s get into it!
Why you should practice good password-hygiene
Passwords are getting leaked all the time. Currently, HaveIBeenPwned.com has a list of over 570 million unique passwords that have been exposed. That makes it pretty likely that your weak passwords are on that list as well. By using an exposed or weak password, hackers can easily get access to your data. But there is also another risk, and this is getting more and more popular lately and it’s called “Social Engineering”.
Social Engineering is exploiting not the technical aspect, but the humans that work with the technology. Let’s say a hacker gets access to your WhatsApp or Facebook account, he starts looking around and maybe changed some settings. Of course, the hacker can post content on your behalf but he might get noticed that way. The hacker decides that he is going to use his access to get to a bigger target. By sending carefully written messages to specific targets within your contact-list, he can get access to information they would probably not have given to a stranger. By using this position, your contacts are vulnerable to being hacked as well, despite their decent password-hygiene. Your lack of properly securing your accounts can result in the theft of your data or the data of the people that you know. So even if you don’t value your own data, please take the time to help strengthen the chain and fix your passwords.
What is a weak password?
Now that you have an idea of the impact that your security can have on yourself and others, let’s give you some guidelines to follow for setting a secure password.
- Don’t use easily identifiable information.
By using information that is easy to guess like your date of birth, address, name of your dog, or hobby, you are making it much easier to guess.
- Don’t use popular keyboard-combinations
Please do not use “1234” or “qwerty” as part of your password, these are very common, unfortunately.
- Don’t reuse your password
By reusing your passwords you are increasing the risk of a password getting leaked. Once this happens, your other accounts are directly at risk. This is especially important for your email since this is a way to reset your password if you have forgotten it, a great way for a hacker to generate a new password.
- Don’t write your passwords down or store them without encryption.
By writing them down, the change of them getting lost or stolen increases. The same is true for storing them without encryption, if someone gains access to your computer or phone, this file contains a goldmine for the hacker.
- Use 2FA when possible
Let’s face it, we need all the help we can get to keep our data secure. 2-factor authentication can help by creating another security layer before someone gets access to your account. Once you have entered the correct password, a unique code will be asked which changes every few seconds. These codes can be tracked on devices like your phone to be sent over email or SMS (please don’t use SMS, but that is a story for another day). Only when you have both a valid code and the correct password, you will get access to your account. Unfortunately better security usually results in more actions and thus a decrease of user-friendliness. But when you are willing to trade a little convenience for a way stronger account, it will be worth it.
Remembering unique passwords
Using different passwords for all your accounts seems impossible to remember, luckily there is a solution to this. Meet, the password-manager. A password-manager securely encrypts and stores all of your passwords. These managers can be connected to the internet so you can securely access them on all your devices, but they can also run completely offline on your computer. It might feel counter-intuitive to share your password with a service that provides you with a password-manager. Without getting too technical, this works as follows; the password that you want to save gets encrypted on your device before it gets transferred to the service where it gets stored. The key to decrypt this password is only present on your devices making it impossible for the services to read.
Most password-managers have browser-extensions making it easy to use. These extensions can fill in your authentication-details and also save changed passwords. Mostly they can even generate passwords for you. By generating a random password that is very hard to remember, it’s most likely hard to crack as well. But data-leaks happen and your password will probably get leaked eventually. Since you have set unique passwords for every account that you have, the change of the leak escalating into a bigger problem will be slim. Of course, you should change the effected password as soon as possible.
Get your users to set strong passwords
There is one more aspect to the problem of poor password-hygiene and that is de sites that are requiring you to set them. Most sites require a password to contain at least one number, special character, and a capital letter. The problem with most of these integrations is that the users likely to cheat this system. By changing the first letter into capital and adding a “1” at the end to pass the test. Of course, this is nowhere near rocket-science, needless to say; this does not provide any more security. By rethinking and redesigning these integrations, you might help your users to keep their data secure.
Additionally, there are a lot of sites that set a small limit to the length of passwords that can be used. By requiring your users to size their password down to 16-characters, you are ignoring them the right of decent passwords.
One last thing; please don’t ask for, or store, more information than that you need to provide your services. Limit the amount of data that can be accessed when an account gets breached.
There is work to be done by both the websites as the users to keep all of our data more secure in a world that is more connected than ever. If you want to improve the security of your site, please check the security-services that we provide.