Tips for keeping your password safe and secure
We have loads of website we log in to these days – I have somewhere around a thousand. That’s a thousand possible places that hackers could get my password from and try to use elsewhere. So I have to keep my passwords safe and secure.
Why password security?
At the end of April 2021, the Colonial Pipeline was hacked. This hack took down the U.S.’s largest fuel pipeline and led to shortages all across the East Coast of America. It turns out that the hack resulted from one compromised password. The password was from an unused, but still enabled, account. The password had been found in a batch of leaked passwords on the dark web. It’s likely that the account owner had used the same password for multiple logins and one of the sites they logged into had been compromised.
How do I keep my password safe and secure?
Keeping your passwords safe is relatively easy, it just requires a little time to set up and discipline to maintain.
Do not use the same password for multiple logins
Have a different password for every web site that you log in to. The difficulty here is remembering them. The solution is simple. Use a password vault. A password manager (or vault). A password manager will keep your login credentials secure. It stores your login username and password and associates these with the website that you log in to. When you go to login to that website, it’ll fill in the username and password for you
Use complex passwords
A complex password consists of upper and lowercase letters, numbers and special symbols, and is long. Password managers have a facility to generate complex passwords. Some experts recommend using three or four non-connected words, like tablecarcloudswhisky, but personally, I’d go for the former, especially as I use a password manager.
Don’t change your password as a matter of course
It used to be that experts recommended changing your password every month. Some companies I’ve worked with still enforce this policy. However, the latest recommendation is to only change your password if you know or suspect that it has been compromised. Why? Because we tend to rotate passwords or use the same password with a number sequence at the end, just so we can remember them.
Use a password manager
I’ve already mentioned these, but it bears repeating. Use a password manager. You can have a different password for every login. The passwords are stored securely in the cloud so you can access your login credentials anywhere. One additional benefit that I’ve found is protection against phishing attacks. Because the username and password are associated with a specific login page, if you visit a page that is pretending to be a login page for, say, PayPal or your bank, the web address (URL) of the web page won’t match and the password manager won’t fill in the username and password.
Use 2-factor authentication
2-factor authentication (or 2FA) is an additional level of security where, once you have logged in, you have to then provide additional information. Most banks now send a text to your registered phone number with a code that you have to enter. Personally, I’m not a great fan of this as text messages can be faked or intercepted, or you could lose your phone.
Personally – where there is the option – I use an authenticator app, like Google authenticator or a USB token like YubiKey. PC Mag has a good article about authenticator apps.
One quick thing – don’t rely on fingerprint or facial recognition alone, especially for your phone. Some facial recognition can be fooled with a photo, and someone could just knock you over the head and use your finger while you’re unconscious – we’ve all seen it done on the crime dramas!
How do I know if my password has been compromised?
Such a good question. To be honest, you can’t do it yourself, so I use a service called have i been pwned? The person who created this web service is a guy called Troy Hunt. He’s a Microsoft regional director and well respected in the cybersecurity field.
When you arrive on the site, you can simply enter your email address or phone number to see if has been revealed in a data breach. However, you can also sign up for the “Notify me” service and, if your email address is leaked at a later date, you’ll receive an email saying which website has been compromised so you can go there and change your password.
There’s also a facility to check whether a password you use has been compromised – try entering “password” or “starwars” and see what it reports! Finding your password on this list doesn’t mean that your login that uses that password has been compromised, but it may have been. Go and change the password.
More resources
I’ve written several posts that include some information on passwords. It’s also worth looking at “Ten Password Mistakes That Could Get Your WordPress Site Hacked” on the WordFence blog. Although they’re talking about WordPress, many of the suggestions are pertinent to any password usage.
Do you want to learn more?
Network Midlands runs seminars to help you protect your business against cyber-attacks. Find out more at “What can possibly go wrong“
