Article
Calendar white icon
Thursday, March 11, 2021

Strong and secure passwords: making sure you lock up your business

A guide to keeping strong and secure passwords for your organisation.

Why are passwords so important?

We all use passwords on a daily basis. A website behind a password protected page is the ubiquitous sign that our data should be safe. If we take a step back, what is a password? It is a secret we decide to share with a website so they can use it to confirm we are who we say we are. And we trust that website with that secret.

password

/ˈpɑːswəːd/

a secret word or phrase that must be used to gain admission to a place.

 

authentication

/ɔːθɛntɪˈkeɪʃ(ə)n/

the process or action of verifying the identity of a user or process.

Source: Oxford Languages Dictionary 

How are passwords stolen?

Unfortunately, as we all know, our passwords and our data are coveted. Malicious actors have several weapons to their arsenal, for example:

  • They can try all the frequently used passwords. This is known as a dictionary attack. Which makes using simple or commonly used passwords very risky. And replacing an ‘i’ with a ‘1’, an ‘e’ with a ‘3’ or an ‘o’ with a ‘0’ is a well known trick that doesn’t provide significant extra protection.
  • They can try all the possible password combinations. This is known as a brute force attack, the longer and more random the password is, the longer it takes to ‘crack’ it.
  • They can try passwords that you have used (on other services for examples) that have been part of data breaches. This is known as credential stuffing. We have a tendency to reuse passwords, so the more we share that secret with other parties, the more likely it will be leaked at some point in the future.
  • They can try to get you to tell them your password. Through many forms of social engineering (in other words, the psychological manipulation of people into performing actions or divulging confidential information), cybercriminals can try to obtain passwords. Their job is further facilitated by social media, where we all share certain information (such as our pet’s name or memorable dates) that can help them guess our passwords. 

Being aware of these attacks can help us create passwords that are more secure. Easy to guess passwords carry additional risk - but who has a good enough memory to remember a sequence of 20 random characters?

Having a unique password reused across several websites means you trust each of these sites to have appropriate protection measures that can keep your secret safe... I’m sure we all know what tends to happen when a secret is shared with a number of different parties - it doesn’t stay secret for very long.

How to keep your passwords safe?

Finding the right balance between password complexity and not reusing passwords for websites that store valuable information is a challenge. We wouldn’t recommend writing passwords on post-it notes or in a mypasswords.txt file on your desktop either, for obvious reasons.

So what would we recommend?

  1. If you’re not doing it already, enable two factor authentication (2FA, also referred to as MFA - multi-factor authentication) for websites that have important information and offer this feature. 2FA requires two distinct forms of identification in order to access something. For example, being able to log-in to your emails by typing in your password as well as entering a code from an authentication app on your mobile phone. It can take many forms, it is often quick and easy to set up, often available at no extra cost and will make your account and data more secure. Our Level 1 subscription (Certified Security) incorporates a tutorial on how to implement 2FA for your emails centrally, which contributes to keeping your accounts safe and is also a requirement to obtain the Digitally Aware certificate.
  2. Use a password manager: these tools essentially do the ‘remembering several complex passwords’ job for you. It is your choice  to decide if you want to trust a third party on the cloud with these passwords or want a solution that stores them locally on your device. They come with additional benefits such as generating completely random passwords for you, prefilling these passwords boxes for you, warning you if a password is known to have been compromised and of course, protecting access to these passwords with a master password and 2FA.
  3. For these passwords that you need to remember, if the data or service is important (and the password protecting the access to your password manager is one of those), use unique complex passwords. You can use mnemonics strategies (techniques designed to improve our memory like using passphrases for example) to help you remember long or seemingly complex passwords. The CorrectHorseBatteryStaple method is an example of this: combining three or four unrelated words. See some examples of strong passwords in the below infographic from the Police Digital Security Centre:
Implementing a strong password policy (Source: Police Digital Security Centre)
Top 10 COMMONLY USED passwords and 10 examples of STRONG passwords (Source: Police Digital Security Centre)
Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.

Randall Munroe


Ultimately, all websites know that you can forget passwords, so not remembering a complex password should not be a big issue. In reality, you could even try to not remember it at all and reset the password whenever needed. This is not the most practical solution but it relieves your memory from remembering complex passwords.

Implementing strong and secure passwords with Bewica's help

Our portal helps you maintain strong and secure passwords in a number of ways:

1. Helping you implement a strong password policy through our IT Policy generator which follows best practice and is included in subscriptions. A strong password policy gives guidance to your team to enforce the use of strong passwords which are more resistant to hacking attempts.

2. Helping you generate strong passwords through our strong password generator included in our subscriptions. Our secure password generator automatically checks against a database of known breaches, reducing the chances of you using a password that is already in a breach.

3. Sending you data breach notifications that impact your staff's email addresses members. Our dark web monitoring service included in Level 2 of our portal (Advanced Security) alerts you if any of your team members passwords have been compromised in public data breaches. If any of them have been compromised, instructions can be sent to your staff members from our portal, advising them of what to do.

4. Helping you implement 2FA centrally for emails. Ousubscriptions incorporate a tutorial on how to implement 2FA for your emails centrally, which is also a requirement to obtain the Digitally Aware certificate.

Start protecting your accounts with secure passwords by creating a free account here.

Jean-Martin Zarate
CTO