How to improve your password security
Understanding What Makes a Strong Password
On average, each of us uses approximately 13 unique passwords across all our accounts. To some this may sound like a lot, though research shows that many of these passwords are used across different accounts.
Repeat password use is frustratingly common, especially when you consider that should your password be compromised on one account, then there is very little stopping someone compromising the rest of your accounts.
Though you may have varyingly secure passwords depending on the importance of the given account, there are a few simple steps and measures that you can take to help strengthen your password process and your overall information security.
Four Unrelated Words
One of the most common methods of creating a secure, yet memorable password is to combine 4 unrelated random words, such as ‘CorrectHorseBatteryStable’ (although not that one). To make it more difficult for a hacker to guess, it is important these words have no relation to yourself, such as your username or date of birth,
Whereas a two-word combination may be broken within a few hours, if you ensure that the password is at least 15 characters long, the ‘would-be’ attacker will be waiting years to crack your password
Depending on the amount of accounts you have, it is likely that it is going to be difficult to remember all these passwords without any help.
Rather than writing these passwords down on a piece of paper or keeping them within a plain text file, there are a host of great password managers out there. Many of which are available for free and generate secure passwords simply and securely.
The best thing being you will only need to remember one password to access the rest. Though remember, there is quite a lot of pressure to remember that one, since without it, you might be locked out of multiple accounts.
Increasingly common in the digital world is ‘two-factor authentication’. Generally now a standard for banks, this process prompts the user for a second form of verification during the login process that helps prove the user’s legitimacy and increase account security.
This two-factor authentication could be an access-code sent via text, a phone call or even a device-generated code. This means that should an attacker gain your password; they would still not be able to get their hands on your account or your safely secured information.
A definite improvement within anyone’s password process.
Though it might not sound like the most exciting way to spend an afternoon, conducting an ‘online audit’ is quickly becoming a digital necessity.
This can entail several elements. Firstly, deleting accounts that are no longer active or needed.
Remember your old Myspace account? That is right, 427 million passwords were hacked. As a site loses users, they often loose the motivation to keep their accounts as secure. Meaning it is probably worth spending that extra bit of time exercising your GDPR right to erasure and get rid of those teenage digital tracks.
As well as removing old accounts, it is worth checking to see if your email addresses have been linked to any known breaches. Have I Been Pwned? should give you your answer. If you discover any breaches, it is probably time to change those passwords too.
Want to understand the password process a little better? Here are some key terms used in password security:
When we create a password for a login, what is known as a hash is generated. It is a scrambled version of the password stored as a record that enables your login. Should an attacker gain access to these password hashes, then the password remains unknown. The task for the hacker at this stage, is to try and break the code.
The two most common approaches that hackers employ: brute force and dictionary. Firstly, a brute force attack attempts any and all combinations possible, generating huge amounts of hashes, and comparing them to the stolen hash. If they find the match - then they discover the password.
Alternatively, a dictionary attack generates hashes from lists of common passwords, dictionary entries, and common character combinations. A method which can prove to be very effective; especially if your password is not too complex.
To counter these attacks, cryptographers use a process, known as ‘adding salt’. This mathematical technique prevents nefarious characters from comparing generated hashes, by adding randomisation into the hashing process; meaning two users with the same password would have a different hash.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
Who Does the Data Protection Act Apply to? Blog by Information Security Awareness Training and phishing simulator provider Hut Six Security
REvil Ransomware, Apple Bug Bounty & UK Gov Contact Tracing – Infosec Round-Up, June 5th 2020
What Social Engineering Methods do attackers use to get your personal information? Blog by Information Security Awareness Training provider Hut Six Security
What Year Was the Data Protection Act Introduced? Blog by Information Security Awareness Training provider Hut Six Security.
GitLab Phishing, Red Cross Cybersecurity, and easyJet Lawsuit - Infosec Round Up, May 29th 2020
How Does the Data Protection Act Protect your Rights? Blog by information security awareness training provider Hut Six Security.
Knowing how a ransomware attack works is the key to avoiding them and the damage they can pose to your organisation. Blog by Hut Six Security.
Luke talks about his favourite Information Security tutorial, Handling Sensitive Information. Information Security video by Hut Six Security.
Cryptomining hijack, EasyJet Hack and NHS Failing audits - InfoSec Round-Up, May 22nd 2020
Ways of recognising phishing attacks to ensure your organisation stays secure. Blog by information security awareness training provider Hut Six Security.