Thursday 7th May marks World Password Day. Whilst this might not be the most widely celebrated event, it does present the opportunity to alert people outside the cyber security community about the importance of their passwords.
Password reuse is a severe risk to your organisation data and your personal data. A recent study from LastPass found that 66% of respondents always use the same password, with 64% saying the fear of forgetting the password was their reason for reuse. While, a quick search of haveibeenpwned will show (at the time of writing) that over 555,000,000 passwords have been exposed in data breaches.
What is a weak password?
Weak passwords can easily be cracked. With a lot of information freely and easily available on the internet a weak password would include any of the following:
Your pet’s name
Your own name or the name of a family member
Part of your home address
Celebrity, fictional characters names'
Last year the NCSC published a list of the most commonly used passwords.
What is the risk from passwords exposed in a data breach?
When a data breach occurs, email address and password combinations are retrieved and put up for sale relatively cheaply on the darkweb. These email and password combinations will be tried against major personal sites, such as major banks, Google, Apple, Facebook, Netflix, Amazon, Instagram. With 66% of people reusing their password the chances of success are very high.
When a business email address and password are harvested, it can have a devastating effect on a company. It allows attacker to bypass the phishing phase of an attack and go straight to Office365, Gmail, a mail or vpn server and try the discovered email and password combination. From here the access can be used to plan a business email compromise attack, extract data or commit fraud.
How to protect your accounts:
1. Unique password: For each critical account use a separate password. Therefore, if one website is compromised it does not affect your other vital accounts. Avoid password reuse or variations of the same password.
2. Strong Passwords: The NCSC recommends using 3 random words using numbers and symbols if needed. Recently, I heard a great recommendation for creating a strong and unique password. The advice was:
Take any book
Pick a random page
Use the first 4 words on the page
Include the page number and symbol in the password
This will help create a very long and unique passphrase that would be difficult to guess.
3. Password Manager: Whilst it takes a little while to get used to, once implemented correctly you can generate random and unique passwords for each website. Some of the popular password manager services are Last Pass, Keeper and Dashlane.
4. Change your password on breached accounts: If you discover your email address has been compromised on haveibeenpwned, go to the compromised website, logon and change your password as soon as possible.
5. Reset other accounts passwords: Afterwards, it is good practice to change your password as and when you next log on to your accounts. Especially if you reuse your password everywhere.
6. Multi-factor Authentication (MFA): Check in the account settings to see if the account allows MFA or the use of an authenticator app. This is great to use for your vital accounts. MFA works by requiring something additionally to your password (such as a 6 digit code sent by sms) to log you on. Therefore, if your username and password are stolen, hackers are unable to logon without the additional code.