In this day and age the internet is an integral part of our lives. Everything we do can be found online from banking to healthcare and can be found on a website. With this convenience also brings with it a very important question, and that is how one can maintain a good cyber posture while keeping our sensitive information safe. In this post we will expand and explain how this can be achieved so keep reading.
What you should and should not do to create a strong and secure password
Do not use common password
Popular and common passwords are vulnerable to spraying attacks. Such an attack is where they try to break into your account using a list of the most commonly used passwords.
In order to prevent an attack like this from happening it is essential to avoid sequential numbers or letters (12345 or qwerty). Even if they are in their longest iteration, they are extremely weak to not allow someone to access your account.
Words such as sunshine, cheese, etc are horrible password options to use as they will only take seconds to be attacked and breached. Also two other infamous passwords that will be quickly breached are password or letmein.
The last important note, if you use a password generator from a website it is not a good choice. Reason being as soon as the password is rendered available to the public it most likely will end up leaked in a password database. So its not Ideal to to keep you safe from these such types of attacks.
Do not use personal info or full words
Putting personal info on social media is the new norm for a lot of us. With a simple search on Google one can uncover the first names of family members, town names, and ones birthday.
Full words should also be avoided. The reason for this is that the use of common names and words in ones password makes the vulnerable to what is known as a dictionary attack. Such an attack relies on a database that contains words as well as frequent or compromised passwords and their leetspeak equivalents (this is a language based on replacing letters with numbers or special characters) etc.
It is recommended that a few characters in common nouns be switched to bypass these vulnerabilities when you create a password.
The school of thought that long easy to remember passwords are more secure (since they are actually used) than passwords that have a bunch of special characters.
Regardless, the databases used in dictionary attacks already have a number of password character substitution. If you want to use this method you would be required to come up with your own substitution method.
Use at least 18 characters and up to 40
The minimum of 18 aims to keep you safe from brute force attacks. The longer the password the more combinations one would need to try to determine what the password is, in turn making it harder to figure out.
One might ask why a password with a length of 18 when sites want passwords with a length of 8? To answer this best practices are constantly evolving. Cybercriminals are always improving their tactics and it is important for security standards to also adapt and keep pace.
Adding 10 more characters to your password makes a huge difference in terms of combinations that hackers would need to try to figure out your password. If you have a password with just 8 character password you have 4,304,672,100,000,000 password combinations. Where as with an 18 character password you have 150,094,635,296,999,000,000,000,000,000,000,000 password combinations. This is why password length is extremely important.
One should also avoid the following “abcdef012345&é”‘(-” as this will be one of the first combinations used by hackers to try and find your password.
Password Should Have 4 Types of Characters
It is important t use a mix of numbers, upper and lower case letters as well as symbols. This in turn increases the number of combinations required for a hacker to find your password. It is important to remember that when you add a character to your password, this greatly increases the password strength more efficiently than just changing some letters or numbers with special characters.
Even though brute force attacks cannot be fully avoided, the password complexity can help to prevent dictionary attacks. Adding special characters also adds a random factor to ones passwords.
How Long Before a Hacker Finds My Password?
The statistics below show how long it would take before a hacker would be able to compromise ones password in 2023. This is based on the number of characters and the character types used.
Make Your Password Memorable
The next question that will come up will be how we can remember the longer passwords, which contain symbols. They might be the strongest but they are also the most complicated?
There are a few options that one can do to try to help you remember your password:
1) Use the first letters of a sentence.
“I created a password using the advice I read on Netim’s blog” could become “Ic@puTa1roNb.”
2) Try Phonetics.
“I ate seven pounds of bananas today” could become “187LBSob2day.”
3) Create a passphrase rather than a password.
This is one of the easiest methods to create a long string of characters, but it is important to follow some rules to ward off dictionary attacks:
- Avoid famous quotes, song lyrics.
- Add another level of difficulty (make up uncommon words, random series of characters to replace a word).
- Replace a word by a password (using the first letter method).
4) Come up with your own method to remember your password
This is the most secure option but it is important that you follow the suggestions discussed previously. Another way to help you overcome the issue of remembering the password would be the use of a password manager which we will look at later on in this post.
Do’s & Dont’s Of Properly Using Passwords
You now have a way to create a strong password according to your needs, but that isn’t quite everything. The next part of maintaining the security of one’s account is implementing of good cyber hygiene.
Do not share your passwords with anyone
There are many different types of attacks that your passwords can be used to compromise your password. There is a 3rd type which is quite a versatile one, and that is social engineering. There are multiple types of social engineering attacks, but the majority of them aim to trick the user into sharing sensitive information or logins.
One type of social engineering attack is that of phishing.
It is important if you are ever in doubt of the legitimacy of an email check the senders address but do not click on any links that it might contain. Instead open a new tab in your browser and open the website where the website is claiming to be from. You can read more about how to determine if an email is a phishing email by clicking here.
Do not write or enter your password anywhere
If your password is written on a sticky note, maybe stuck to your computer monitor, or a text file. Writing and saving a password without encrypting them is a very bad idea.
When traveling do you use a public, shared computer? If the answer is yes, it is important to be vigilant! These public machines can have software known as a keylogger. These would be installed on a machine to monitor and record every keystroke made.
Public WiFi is also unsafe as you can expose your information to being intercepted. In this case using a VPN can keep your data safe as it encrypts the data.
Lastly sending ones password through a text message or email can also put you at risk.
Keep Your Passwords Updated
If you believe that an unauthorized person has accessed your account, or if a data breach has taken place, or if you typed ones password on an unsafe device or website, it is important to change your password as soon as possible.
Certain websites keep a login history to monitor when and where your account would be logged in from. Other sites also include an option for login alerts so that one can get notified when ever someone accesses your account. Both of these features give you a way to ensure your password has not been compromised and used.
It is crucial to change your password from the default one provided when you setup your account. Recycling passwords that you have already used on other websites is not recommended. These passwords will not keep your data safe as there is a risk that malicious third parties might already have them, or are already in cyber criminals databases.
Have I been pwned is a tool where you can check your email address to see if it has been involved in a security breach or data leak.
Use a Different Password for Each Account You Have
If you use the same passwords on all your accounts, and your accounts get compromised due to a security breach, you will have a nightmare on your hands. It is important to not reuse passwords, even ones that are rock solid, as this should prevent account compromise.
It is important to bare in mind that when you change a character in a password does not solve the problem that you had been compromised in a breach. Its also extremely unsafe if you change your password and use a predictable pattern (password1, password2, etc).
Going Beyond Passwords
Having strong passwords is important but that might not always be sufficient to keep your information and accounts secure. Breaches & leaks are a huge problem. There are extra steps one can take to reduce risks of data exposure.
Multi-Factor Authentication (MFA, 2FA)
MFA, also known as 2 factor authentication, adds an additional authentication method on top of the password. Such second factors can be through a persons smartphone, using an app, smart card, or U2F key, or uses a persons biometrics.
The most common authentication method is the one time codes. These can be sent via text messages or generated through an application on ones smartphone.
2FA has become the defacto standard for account protection. The reason for this even if your password gets compromised you are still protected as you have a second layer of security. A lot of websites in this day and age are starting to require it in order to login securely to your account.
SMS is another way to get your 2FA codes, but cyber criminals have ways to intercept these types of messages. That is why the 2FA applications are a safer option.
if you have a few online accounts it would not be hard to remember those secure passwords you created. Given in this day and age you will have a large handful of accounts it will be hard to remember those secure passwords you came up with. The solution to this is the use of a password manager.
These password mangers can be considered like a virtual safe which is protected with a master password. Strong passwords should still be used for this master password, so what has been suggested in the earlier sections on this blog post should be kept in mind, as well as multi factor authentication should also be setup.
To further enhance the security of your passwords, encryption plugins can be used with some password managers.
Lastly, a lot of password managers also offer custom password generation options (number & character types).
After reading the previous sections you might call into question how useful it is to have security questions answered when used to change a password or verify you are who you say you are. This is justified as these questions have the same risk as if you were to create a password that has personal information.
If its possible, it is recommended to create custom security questions. The advantage of this is that you can use knowledge that nobody else will know even if they try to dig into your social media accounts.
How to Determine if a Website is Trustworthy
Ensuring what websites you entrust your sensitive information is an important safety measure which sadly is easier said than done.
It is actually difficult to know when you enter your account details into a website, you have no idea how the credentials are stored, and any other security issues that might be found.
There are few signs that one can look for to help determine if a site is trustworthy and are as follows:
- The site has no Contact information.
- The site has no SSL Certificate (URL starts with http and not https).
You might want to check if a site has fallen victim to any security breaches in the past and what has been done to ensure the issue does not occur again.
Lastly any website claiming to “test out” the strength of your password should also be avoided as you cannot guarantee that thee tested passwords do not get saved or stored by the site.
With computer becoming more powerful with each and every passing day, data leaks and breaches are becoming all the more common.
Security measures and best practices need to evolve to try to stay one step ahead of the bad guys.
In the future passwords will be replaced with Password-less identification means, but for now vigilance is key to keep your accounts and personal data safe from the bad guys.
If you are looking for an affordable password management solution reach out to us on [email protected] and we can work together with you to improve your security posture when it comes to credentials.