May 6th is World Password Day, a day dedicated to encouraging good password culture and avoiding common mistakes.
Passwords are both the first line of cybersecurity defence and its greatest weakness. Poor password management makes it easier for hackers to get access to sensitive data, putting businesses and individuals at risk.
With the pandemic driving millions around the world to do business online, we have more password-protected accounts than ever before. As such, using good passwords to keep our data safe from bad actors is vital.
Unfortunately, not everyone takes good care of their passwords.
Last month, the National Cyber Security Centre (NCSC) used National Pet Day to warn people not to use their pets’ names as passwords. According to the group, millions of people in the UK use passwords based on their pets, a trend that puts people at risk.
Also common are the names of family members and loved ones, anniversaries, and sports teams.
Easily remembered and common passwords are simple for cybercriminals to crack. With vast amounts of data easily available online on many people, a little research can provide hackers with clues that could help them break a password.
A report from cybersecurity experts SpyCloud has also warned that 60% of people are putting themselves at risk by reusing passwords.
Furthermore, with help from AI, cybercriminals can run through lists of common passwords and variations, helping them break even relatively secure passwords quickly.
If you’re worried whether you are using a common password, the NCSC revealed a list of the most hacked UK passwords.
To celebrate World Password Day and to help people keep their date secure, DIGIT spoke to three cybersecurity experts to get some tips and advice.
Keep it Complicated
Head of Ethical Hacking at the Scottish Business Resilience Centre Declan Doyle says: “Strong passwords are an important step in online security, but we often make them short and easy to remember – but that can also make them hackable.
“Even if we take care to create a long and complex password, we then reuse it across multiple accounts. While this approach means we’re less likely to lock ourselves out, it also increases the risk because hackers use powerful computers to randomly guess thousands of passwords each second until they find the correct one.
“The NCSC recommends using passphrases instead of passwords. These are ideally made up of three individual words such as ‘GoldilocksBearPorridge.’ This gives strong protection because they are long but they are also easier to remember than a jumble of letters and numbers.”
Managing Director at The Tech Force Jai Aenugu says: “My advice for improving password security is to use a password manager wherever you can. The challenge for most people (with weaker passwords) is to create complex unique passwords and remember them. Hence, we see them using a weaker password repeatedly.
“A password manager addresses exactly that and more. It will generate a strong unique password, remember the password, and keep them secure. The only password you need to remember is the master password for the password manager and I encourage you to use multi-factor authentication enabled. Password managers sync across the devices so that you can use them mobiles and PCs.
“If you don’t want to use a password manager, the general rule of thumb for passwords is, longer or more complex the password is harder it is to be cracked. One can do that by replacing the password with a passphrase or three random words. Easier to remember and harder to crack.
“These work best for protecting against the brute force attacks. However, it will not protect against if the password was exposed as part of a data breach. Using a unique password for different services will reduce the risk in case of a data breach.”
- DIGIT Movers and Shakers | April 2021
- Could your outdated router pose a security risk?
- 10 website mistakes that kill your SEO
Avoid Old Mistakes
Quorum Cyber Managing Director Federico Charosky says: “Password guidance has moved on quite a bit in recent years, but people and organisations are still hanging on to old misconceptions – we see a lot of mistakes (inherited from the past) like people being asked to change passwords every 30 days, enforced password ‘complexity’ needing all sorts of symbols, numbers and capital letters, or web pages preventing pasting of passwords.
“These (originally well intended) measures have been thoroughly debunked by research showing that they actually expose passwords to more risk.
“On the other hand, there’s been some great new guidance from organisations such as the NCSC providing up-to-date recommendations that help both users and organisations stay safer. What I love about the modern approach is that it really focuses on removing friction for users, ensuring the safest way is now also the easiest way (for example using passphrases that don’t expire, adopting password managers, and moving away from passwords altogether for biometrics).
“Overall I think we’ve made great progress in making things easier for people, and organisations really need to keep up to date with current guidance and step up their game. I look forward to the day biometrics and other authentication mechanisms like keys make passwords a thing of the past, but in the meantime following modern advice is going to be a net positive for everyone.”