Therefore, it’s more vital than ever to use today’s platform to promote better password habits, as having robust and resilient passwords is the fundamental foundation of effective cyber security.
Passwords are the key to our digital identity, that is, our entire online footprint – from our personal banking accounts to our favourite ecommerce websites (which more than often store our credit card and payment information), and even our social media platforms. And the single biggest mistake that many people are guilty of is reusing passwords – or using a variation of a recycled password – across the multitude of registered accounts they own. The popular belief is that this will provide us with greater control over our passwords.
In theory it actually makes sense. As of January 2021, there were 4.66 billion active internet users worldwide and the average user has 90 online accounts1. With that number of accounts created by a typical individual, having a smaller number of passwords to remember is best, right?
Wrong. From a Security perspective this poses a massive risk for your digital identity to become compromised, and your personal information or banking details to be exposed, should a malicious third party get access to this password.
A very useful open-source tool for checking whether a selected password has been part of a breach is haveibeenpwned.com. Their password checking facility can detect if your selected password has been identified, giving a clear indication that it should be changed. Furthermore, it can be worth using their email lookup facility to find out if your details show up in an extract from a compromised site/data breach.
How your password is structured also impacts its vulnerability and can be strengthened by using a better structure. We’ve all experienced the complexity ratings that are shown when creating new passwords for an online account. Typically, this not only gives the minimum requirements for the password, but also an indication of how secure or unsecure that password will be in use.
However, the typical formula of including upper and lower case, numbers or symbols, may not be the most secure combination. According to National Institute of Standards and Technologies (NIST), password length is more effective than character complexity. They’ve deemed that the longer the password, the longer it would take for a password cracker to generate the correct string, potentially adding thousands of years to decode it!
Furthermore, NIST actively encourages the removal of periodic password resets. It’s their belief that by enforcing these resets, it’s more likely that a user will act in a predictable fashion and simply change the password in a predictable sequence. For example, if the password ended in the number 1 then the user would just change this to the next number in the numerical sequence, which in this example would be the number 2. In theory, this would mean that a hacker wouldn’t have to work too hard to successfully obtain the new password.
A simple way to create long passwords which are easy to remember – and easy to type – is to use phrases rather than the classic random password formula. Simply pick four or five random words, maybe even replace a letter in the middle of one of them with its numerical equivalent, and there you have it, a more robust password structure e.g. something like passing public ra3ider grew.
If possible, you want to save your passwords in a password manager which means you only have to remember your primary password to get into that password safe. There’s a large number of these to choose from, some entirely offline and some services provided by others. You’re then free to use a multitude of very long passwords which are then securely kept in the safe, without the need to remember each and every one of them.
Where possible, it’s also highly preferable to introduce Multi Factor Authentication (MFA). MFA is a system that requires more than one way of providing confirmation before gaining access to your online account. Typically, this would involve something you know (Password), something you have (Smartphone) and something unique to your person (Fingerprint). A common practice used is to be prompted to enter a code after you have supplied your account password and this code is sent to your smartphone via an Authenticator App. This technique provides just that added layer of defence to protect you against any would-be attackers.
1 Dashlane analysis of data from more than 20,000 users in 2015