Passwords are a critical part of online security; they’re your first – and most critical – defence in making sure that hackers can’t access personal data, or the data of your organisation. Most people have dozens of accounts online, each requiring their own password in order to protect the data behind the account.
But we have a problem with passwords, far too many passwords are too weak to be considered a secure defense. In our 2017 Security Bulletin, we found that 45% of passwords can be considered “High Risk”, and a further 4% are “Medium Risk.” These numbers are unacceptably high when it comes to maintaining the security of an organisation’s data.
What constitutes a “High Risk” password?
Kiandra defines a “High Risk” password as any password that makes use of common words that are found in dictionaries, are easy to guess, and use fewer than nine characters. Many organisations mandate password length of just eight – or even six – characters, which in itself is causing a huge level of risk, but once you get past this, the simplicity of what people set as their passwords make them easy to break.
Some of the most common words used in passwords (which, incidentally, are all classified as “High Risk”) are:
- Days of the week (as well as the year in which the password is made)
- Months/seasons of the year (as well as the year in which the password is made)
- The name of the company itself, or an example of a product that it makes – this one was surprisingly common, with just about every company having at least one password referencing its name.
- The most common passwords (“password”, “welcome”, “Qwerty”, etc).
How can I improve my password security?
Everyone should take the time to regularly check the health of their password environment, and their organisation. In doing so, there are some best practices that they should adopt wherever possible to help improve the strength of the passwords that they adopt.
1) Add two-factor authentication
Two-factor authentication requires an extra step before a person can log into their accounts; after correctly inputting the password, a SMS will be sent to the person’s phone with a code to input. This means that unless a hacker is also able to access a person’s physical phone, or somehow hijack their mobile number, they still won’t be able to access the email account, even if they have the right password.
Another form of two-factor authentication is to use the ‘Google Authenticator’ app, which also gives a code for you to use when logging in. The primary difference between the SMS version and the app version is that the app code will change every 30 seconds and once the code changes the old code no longer works, whereas the SMS code lasts for a longer period of time.
2) Change passwords regularly
It’s a good idea to change your passwords regularly for all your accounts, and make sure that each account has a different password. That way, if a hacker does get access to one account they won’t necessarily be able to access the others. This can result in a lot of work to remember all the passwords, but there are tools that can help with this.
3) Make sure you can remote wipe your phone
If your phone is lost or stolen, then whoever finds it will be able to access all kinds of information on you and, most likely, your secure accounts by simply figuring out the unlocking code for your device. They’ll also be able to play navigate through your two factor authentication. For this reason, setting your phone up to allow a remote wipe is important, just in case you lose your phone. This is easy enough to do with both iOS and Android devices.
4) Invent a birthday for your logins
If you should forget your password, and ask to reset it, typically the application will send an email to your backup email address with a link to the password reset function. There, the application will ask you to confirm your identity by putting in your birthday. Unfortunately if you have been splashing your birthday around the Internet through your social profiles and the like, the hacker will be able to get that data quite easily. The best way around this is NOT to publish sensitive information on social media but failing that you can make up a secret birthday that you use for all your logins.
5) Be careful that you’re not giving away your security questions
Another important part of password security is the security question; when the date of birth isn’t the ‘password recovery question’, a secret question set when setting the account up will be the alternative. Again, if your security question is something along the lines of “what is your favourite sporting team,” and your Facebook profile picture is your team’s logo, then you’re making it quite easy for the hacker. Choose a piece of information the hacker would not be able to easily find out, such as ‘what was your childhood best friend’s name’ or ‘your favourite movie when you were a teenager’.
What tools are available to help me with my passwords?
Password managers are an indispensable tool for the modern internet user, as they allow users to come up with complex and secure passwords for each of their accounts, making each password different each time, without having to actually remember every single password. There are many examples of these password managers available, with both free and paid-for options.
Some of the very best examples include:
Dashlane 4 – This password manager allows two-factor authentication, the ability to automate password changes for 500 sites, and advanced form-filling functions. It even captures receipts for online shopping. Dashlane 4 is a comprehensive and fully-featured password management tool.
LastPass 4.0 Premium – The primary benefits of LastPass is in the powerful way that it syncs passwords across all your devices, so it’s easy to log into any of them. It also features comprehensive password sharing tools, and produces actionable security reports so you can see if you’ve got any weaknesses.
LogMeOnce Password Management Suite Ultimate 5.2 – In addition to the standard features of a password manager, LogMeOnce can also track stolen or lost devices, and has some of the most comprehensive reporting tools of all manager software.
Being secure online requires some initiative around passwords – people simply setting easy to remember passwords and forgetting about them is something that many hackers rely upon. Change your passwords frequently, set up two-factor authentication, and strongly consider investing in a leading password manager in order to make this job much easier for you.