Security 101: Passwords

password2


“Have you used a strong password for that?”

This is something the guys and girls I work with have become accustomed to me asking every time we need to set up a new account for anything work related.

It’s become something of a private joke in the office, but there’s a really good reason for my insistence. Good passwords are important, so let me explain why.

People are always looking for simplicity and ease. You want to get on with checking your email, buying that latest book on Amazon, or getting your fix of Breaking Bad on Netflix; having to stop and remember your username and password is a pain and gets in your way.

This leads to people having passwords that are simple to remember and simple to type. Get it done and move on. Unfortunately, this behaviour is lazy and leads to two of the biggest issues with our current online security approach.

Simple passwords and password reuse

Let’s tackle simple passwords first. Three of the most frequently used passwords on the internet today are “123456”, “12345678” and “Password”. A quick Google for “common passwords” [https://www.google.co.uk/search?q=common+passwords] returns many lists of the most prevalent, terrible passwords out there.

The reason this is such a problem is that passwords that are easy to guess, make it incredibly easy to compromise accounts – your Gmail or Facebook account for example. I frequently hear “Oh, my Facebook account was hacked” when in reality, they had a simple password in place and someone guessed it!

A more frightening example of this was when HBGary was ‘hacked’. The entry point for this attack was simply that someone knew the email address and guessed his password. They then proceeded to email someone senior in IT from his account, saying they’d forgotten the details to log into the database server and could he get them sent to him again. This was complied with, and bingo – they had the keys to the kingdom! There are several security failures in this process, but arguably, none of this would have happened if the initial password was un-guessable.

 Now to the second issue. Password reuse.

 There have been many high profile security breaches recently. Sony’s Playstation network, Adobe’s online accounts and, of course, the recent ebay leak. Combined, these have put 100s of millions of private records onto the internet for anyone to view, if you know where to look.

You can check if your details have ended up in the publicly released data here: https://haveibeenpwned.com This site is operated by a security specialist and doesn’t contain the passwords leaked, or store your details when you search, unless you want to be notified of any future breaches.

One of the outcomes of analysing this data is that emails that were contained in multiple breaches often used the same password for each account. This means that if I had that data, I could conceivably try the email and password combination against other popular websites. Having knowledge of the username and password combination from a breach such as Adobe or Sony, doesn’t seem like the end of the world, but it’s not beyond the realm of possibility that these values will now log me into that users account on Amazon or Paypal…..

So what can you do to help mitigate this? After all, you aren’t in control of the data once you’ve created your account, and you’re not the one responsible when a company is breached. The simplest thing you can do is get a Password Manager. Something like OnePass or LastPass (personally, I use LastPass and I think it’s great).

So what does a password manager do for you? It allows you to generate really good, strong, unique passwords for every website you use. It makes using complicated passwords trivial for the many, many sites that people now visit daily, as it will fill in the fields for you when you’re asked to log in. All you need to do now is have one good, strong password for the password manager and let it take care of the rest.

I was initially resistant to using a password manager as I always used a fairly strong password and tried to make them relatively unique, but as more and more websites are being compromised, I decided to make the change. I’m now not only more secure, i’ve also made my life a tiny bit easier – which is nice.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s