In today’s connected world, communications and information sharing have become an essential part of the continued success and development of a business. Your data continuously migrate between clouds, websites, and geographical locations, allowing you to access your information anytime and from anywhere. In order to do so, you need to connect, interact, and work through the use of a number of accounts. However, have you ever wondered how many passwords you use every day to protect your accounts?
A 2016 study conducted by Intel Security revealed that, on average, a user possesses more than 27 accounts and that 37% of respondents forget at least one of their account passwords every week. Nevertheless, in the last few years, a lot has changed in the way passwords are managed; a six-character password is no longer secure enough, and today users need to elaborate and remember complex combinations. Consequently, passwords are forgotten, lost and stolen, opening a variety of different vulnerabilities. However, while we wait for biometric identification systems to demonstrate their effectiveness and reach the necessary maturity to replace traditional procedures, the classic password method remains the most common technique to protect our systems. Having no alternatives, the first step to password security is understanding the threats associated with passwords. For example, passwords are often targets of social engineers, which refer to a category of cyber attackers operating within a sphere of hacking called social engineering. This hacking technique is based on individuals' behaviors and often involves manipulating people to steal sensitive information and access security systems. Social engineers use a wide range of methods to obtain passwords. They start by looking for information about individuals and the more they know about them, the easier it is for them to perform malicious activities. In this regard, the basic resources hackers rely upon to steal passwords are common words. Because users are forced to create many different passwords, they tend to use those that are easy to remember, allowing attackers to use techniques, such as dictionary attacks (i.e. a method that involves systematically guessing all possible passwords starting with words that are frequently used in everyday language) or brute force (i.e. breaking into a system after continuous attempts). SplashData, a company that develops cybersecurity software and applications, published a list of the worst passwords of 2017. Despite regular warnings from cybersecurity experts about the importance of using strong combinations, this list shows that many people continue to use weak passwords, such as "123456" and "Password," which are the two most popular in the top 10. Actually, creating a strong password for every account can be a challenge. VPNmentor has a great random password generator that can help you create unique passwords for a variety of situations. (Thank you to Emma Bell for suggesting this tool!)
On one hand, we want something that is easy to remember so we can easily access our systems. But in this case, there is a greater chance of getting hacked. On the other hand, we need a password that is secure enough to keep us safe online. But a strong password can also be so complex to remember that we may find ourselves struggling to access our data or recover our credentials. If it is true that "the only secure password is the one you can't remember," as Troy Hunt, a web security expert, argues, then what can we do to manage our passwords in a safe and practical way? There is no cyber recipe for the perfect password, but here are some useful tips.
- Change of seasons, change of passwords. Choose a unique password for each account and change it every three to six months. Reusing the same passwords is risky. If someone guesses your password for an account, he or she could potentially gain access to your private emails, your address, and even your bank account.
- Boost your combinations. Use at least eight or ten characters to create your password. Make sure you include a combination of letters, numbers, and symbols. For example, creating an eight-character string containing numbers, symbols, uppercase and lowercase letters can make your password much more robust than an eight-character password with only lower case letters.
- Make everything as simple as possible, but not simpler, as Albert Einstein claimed. Don't use personal information or simple sequences, such as "password" or "abcd." Try a random word or use a technique called "password padding," which is a method of adding characters on both ends of the core password.
- Always have a plan B. Make sure to update your recovery email address regularly so that you can receive notifications in case you need to retrieve your password. Additionally, keep your passwords in a safe place. If you decide to save your passwords in a file on your computer, give the file a special name that does not allow others to recognize its content. Better yet, a good way of storing your passwords may involve creating an "encrypted key ring" to keep your sensitive data in a secure way. There are several tools that enable you to store all your passwords in an encrypted form: some are online services (e.g. Clipperz), others are software to download on your computer (e.g. Keepass).
- More is better. Password security also involves adding some additional protection, such as an anti-malware software. Are you wondering why there is a connection between passwords and malware? Well, let's put it this way - you can't do much with the strongest password in the world if you accidentally downloaded a keylogger into your computer. This type of malware can capture everything you type, including passwords and usernames.
- All for one, and one for all. If your employees need to access a variety of IT resources, such as computers, databases, and accounts, you may want to establish a password policy, which serves as a standard for the management of passwords, including their creation, their protection, and the frequency of change. Password policies alone don’t represent a sufficient method to protect your company from cyber attacks, but they can definitely mitigate the human factors of cybersecurity.
- Test it. As with any cyber tool, it is always a good practice to test the strength of a password. In order to get a better idea of how complex a password is and how long it would take an attacker to guess it, it's possible to use some online tools, such as Kaspersky Secure Password Checker, Password Meter, and How Secure Is My Password.
It is important to remember that an effective cybersecurity strategy is based on a series of security levels. All these levels are connected, and any response strategy needs to address all of them. In this context, passwords represent one of the first links in the security chain, but also the weakest. For this reason, adopting simple precautions is something everyone can engage in to give cyberattackers a tough time.