“My password was hacked”: it’s one of the oldest excuses in the book for people who post something regrettable online. But it’s also a growing reality, with Verizon’s 2021 Data Breach Investigations Report discovering that 61% of all data breaches involve stolen credentials.
All of us have dozens of accounts that are only one password breach away from compromising sensitive information.
We trust these credentials to keep us safe, but are we doing enough to create strong and unique passwords?
For many of us, the answer is no. It’s why the tech giant Intel created World Password Day, which is celebrated on 5 May 2022.
In this blog, we look at the advice that World Password Day has to offer and explain why now is the time to review your password security.
Layer up
In recent years, World Password Day has encouraged people to ‘layer up’ their login credentials. The most practical way of doing this is with MFA (multi-factor authentication).
With MFA, individuals enter a password as normal, but must also provide a second piece of information that confirms that they have legitimate access to the system.
This is typically either ‘something you have’ (such as a code sent to your phone) or ‘something you are’ (such as a fingerprint scan).
By doing this, you mitigate the risk of password compromise. An attacker might have your login details, but they still need additional information to access your account.
MFA isn’t foolproof; there are techniques that criminal hackers can use to obtain the necessary information. However, it removes a significant threat and ensures that a password breach alone is not enough to compromise your account.
Many online services give you the option of implementing multi-factor authentication, including Amazon, Apple, Facebook, Google, Instagram, Microsoft, PayPal and Twitter.
Most of those sites don’t have multi-factor authentication in place by default, so you will need to adjust your settings to set it up.
The website 2FA Directory contains a full list of websites that support multi-factor authentication.
How to create a strong password
Even with multi-factor authentication, it’s a good idea to get into the habit of creating strong passwords.
Most people fail to do this because the standard guidance on password creation results in phrases that are almost impossible to remember. Experts have historically advised people to use a combination of at least eight letters, numbers and special characters.
However, this has typically resulted in people simply adding an ‘@’ and a few numbers at the end. A more creative solution is character substitution (with, for example, an ‘0’ replacing an ‘o’), but even that plays into criminal hackers’ hands, as the technique is well-known.
More worryingly, the more you rely on additional characters and substitutions, the more likely it is that you’ll have a password that’s hard to remember but comparatively easy for computers to crack.
Source: xkcd
And there’s another problem: even though the website How Secure Is My Password claims that a substitution-dense phrase such as “Tr0ub4dor&3” would take a computer 400 years to crack – which seems secure enough – you’d do well to not have to write it down somewhere, immediately compromising its integrity.
A simpler and more secure technique is to create a mnemonic or cipher, such as taking the first character and punctuation from each word of a sentence. So ‘The 50-year-old man caught the 15:50 train’ becomes ‘T50-y-omct15:50t’, which would take an estimated 41 trillion years to crack.
Not so bad.
Alternatively, you might find that length alone is an effective method for security. Each character you add to a password creates one more element that a criminal hacker needs to correctly guess.
Using a random selection of words avoids patterns that a computer could identify and results in a password that’s even harder to crack.
Do you teach employees about password security?
Password security is arguably the most important part of cyber security. An organisation can have the most robust mechanisms in place to prevent cyber attacks, but if an employee uses a weak password or leaves it written down and publicly available, it’s tantamount to leaving the door to your office unlocked overnight.
You might get lucky and avoid a break-in, but for how long? Cyber crime is an ever-present threat, and it’s only a matter of time before you come under attack.
Fortunately, as we’ve explained here, it isn’t hard to create a strong password. All you need is a detailed password policy that your staff can follow.
You can learn more about password security, and spread the message throughout your organisation, by enrolling your employees on our Information Security and Cyber Security Staff Awareness E-Learning Course.
This e-learning course explains the dos and don’ts of password security, and details other essential security tips that your staff should be aware of, such as the threat of phishing and how to handle sensitive documents and portable devices.
You can use the information to inform your security policies and ensure that your employees become an asset, rather than a liability, when it comes to the threat of cyber crime.
