In case you missed it – May 2 is World Password Day. And while this confected “special day” is a weird thing to celebrate, it’s a good time to reflect on whether we are all following good password practises.
It’s important to remember that every significant data breach starts with the compromise of an end-point. And the easiest way to break into an end-point is to swipe a set of user credentials.
Peter Galvin, Chief Security Officer at nCipher shared his expertise, said “While we’re all drowning in passwords, they’re what we still trust to give and get access – and for now, they’re here to stay. Given the lengths to which people will go in order to get their hands on them, we really should be doing as much as possible to keep them safe and secure”.
According to research by Trend Micro, Australians are lax when it comes password security. One-in-five of us never change the password on our connected devices and 45% use the same password for multiple devices.
One of the problems with passwords is that the rules created by system admins, which are tyowially based on guidelines created by NIST, are complex. In fact, they’re so onerous that the guy who created them regrets ever doing so.
But despite those rules being well-known, many of us still keep ridiculously weak passwords.
“Weak passwords such as ‘password123’ and ‘abcd1234’ do not adequately mitigate the risk of unauthorised access to systems. In fact, they are easy targets for hackers to compromise credentials leading to highly lucrative and devastating attacks,” said Serkan Cetin, Regional Manager, Technology & Strategy at One Identity.
So what can you do to strengthen your password security?
Use two-factor authentication everywhere
Two-factor authentication makes life really hard for bad guys. It means that they not only need your username and password but some other piece of information.
I’d suggest a one-time SMS code is better than nothing – but only just. Determined thieves are into SIM-swapping where your mobile phone account is stolen (the bad guys use social engineering to get through telco security) so they can intercept codes.
A better option is using an app like Google Authenticator or Microsoft Authenticator. These apps provide one time codes that are refreshed every minute or so and aren’t broadcast.
Mark Perry, APAC Chief Technology Officer, Ping Identity, said “One great way of implementing multi-factor authentication that’s both secure and convenient is using push notifications from a mobile device. Unlike the phone numbers used for SMS messages, using push notifications allows users to rely on device secrets that don’t move from phone to phone and are much harder to spoof”.
Biometrics are a good authentication factor
Fingerprint and facial recognition sensors have come a long way over recent years.
If your hardware supports them, I’d favour those over passwords and passcodes for accessing mobile devices.
But, if you’re a frequent overseas traveller and are worried that overseas law enforcement may want to access your devices at a border crossing, be aware that the law is undecided on whether you can be forced to unlock a device that’s secured biometrical.
Use passphrases, not passwords
Putting together a passphrase is an easy way to create a long authentication string that’s hard to hack but easy to remember.
For example, it will take a brute-force attacker more time to break ‘Mary had a little lamb’ than it would to break ‘[email protected]’
Don’t re-use passwords
Every user account you have should have its own unique password.
“The reuse of passwords can lead to multiple accounts being breached,” said Michael Warnock, the Australia country manager at Aura Information Security.
If you’re concerned about one of your passwords being compromised, pop over to Have I Been Pwned and search for your email address. If the address has been associated with a breached account and you’ve used that password elsewhere, it’s time to start updating your accounts.
Use a password manager
Given the number of user accounts and passwords we manage is out of control, it’s not surprising that software to help with this has merged.
Password management software, such as Apple’s Keychain Access (which is baked in macOS), Lastpass, 1password and others will store and automatically fill in passwords. Some can also tell you when you’re using weak passwords so you’re prompted to reset them.
The big advantage to using password management software is that they create complex passwords that you don’t know. The only password to have to remember is the one for the password vault application. And you can make that a complex passphrase that’s easy for you to remember but hard to break.