Strong and secure passwords: making sure you lock up your business
Everything you need to know about passwords to protect your business.
Why are passwords so important?
We all use passwords on a daily basis. A website behind a password protected page is the ubiquitous sign that our data should be safe. If we take a step back, what is a password? It is a secret we decide to share with a website so they can use it to confirm we are who we say we are. And we trust that website with that secret.
a secret word or phrase that must be used to gain admission to a place.
the process or action of verifying the identity of a user or process.
Source: Oxford Languages Dictionary
How are passwords stolen?
Unfortunately, as we all know, our passwords and our data are coveted. Malicious actors have several weapons to their arsenal, for example:
They can try all the frequently used passwords. This is known as a dictionary attack. Which makes using simple or commonly used passwords very risky. And replacing an ‘i’ with a ‘1’, an ‘e’ with a ‘3’ or an ‘o’ with a ‘0’ is a well known trick that doesn’t provide significant extra protection.
They can try all the possible password combinations. This is known as a brute force attack, the longer and more random the password is, the longer it takes to ‘crack’ it.
They can try passwords that you have used (on other services for examples) that have been part of data breaches. This is known as credential stuffing. We have a tendency to reuse passwords, so the more we share that secret with other parties, the more likely it will be leaked at some point in the future.
They can try to get you to tell them your password. This is known as phishing attacks. Through many forms of social engineering (in other words, the psychological manipulation of people into performing actions or divulging confidential information), cybercriminals can try to obtain passwords. Their job is further facilitated by social media, where we all share certain information (such as our pet’s name or memorable dates) that can help them guess our passwords.
Being aware of these attacks can help us create passwords that are more secure. Easy to guess passwords carry additional risk - but who has a good enough memory to remember a sequence of 20 random characters?
Having a unique password reused across several websites means you trust each of these sites to have appropriate protection measures that can keep your secret safe... I’m sure we all know what tends to happen when a secret is shared with a number of different parties - it doesn’t stay secret for very long.
How to keep your passwords safe?
Finding the right balance between password complexity and not reusing passwords for websites that store valuable information is a challenge. We wouldn’t recommend writing passwords on post-it notes or in a mypasswords.txt file on your desktop either, for obvious reasons.
So what would we recommend?
If you’re not doing it already, enable two factor authentication (2FA, also referred to as MFA - multi-factor authentication) for websites that have important information and offer this feature. 2FA requires two distinct forms of identification in order to access something. For example, being able to log-in to your emails by typing in your password as well as entering a code from an authentication app on your mobile phone. It can take many forms, it is often quick and easy to set up, often available at no extra cost and will make your account and data more secure.
Use a password manager: these tools essentially do the ‘remembering several complex passwords’ job for you. It is your choice to decide if you want to trust a third party on the cloud with these passwords or want a solution that stores them locally on your device. They come with additional benefits such as generating completely random passwords for you, prefilling these passwords boxes for you, warning you if a password is known to have been compromised and of course, protecting access to these passwords with a master password and 2FA.
For these passwords that you need to remember, if the data or service is important (and the password protecting the access to your password manager is one of those), use unique complex passwords. You can use mnemonics strategies (techniques designed to improve our memory like using passphrases for example) to help you remember long or seemingly complex passwords. The CorrectHorseBatteryStaple method is an example of this: combining three or four unrelated words. See some examples of strong passwords in the below infographic from the Police Digital Security Centre:
Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.
Ultimately, all websites know that you can forget passwords, so not remembering a complex password should not be a big issue. In reality, you could even try to not remember it at all and reset the password whenever needed. This is not the most practical solution but it relieves your memory from remembering complex passwords.
At Bewica, we are committed to helping your organisation stay secure. We notify you if we find any of your team members' passwords' to have been compromised in public known data breaches and also provide you with practical advice on how to set up 2FA for your organisation. Don’t wait for an attack to happen. Sign up for a free trial of Bewica today to start protecting your organisation from cybercriminals.
Don’t wait for an attack to happen. Start protecting your business today.