What’s the Password?
Passwords are a crucial part of our day to day lives and most businesses rely on passwords to protect their online data. It is difficult to keep track of all of the passwords which we need in order to get through each day, and in this blog we will examine how to select a password, and how to store it securely. Our first top tip is not to use the word ‘password’ as that is currently the fourth most common password to be hacked, the top one being ‘123456’.
Does your organisation have a password policy? Do you tell staff how they should choose and save passwords? If not, now is the time to give some thought to this, as this is a clear risk to your business.
Hackers will not necessarily be targeting your business. They operate the same way as a criminal might, simply looking for opportunities, and if they are able to detect a vulnerability, they will naturally have a go to see whether there is an opportunity for them to benefit from that lapse in security. Login details and passwords are sold on the dark web routinely, and we have even heard of money back guarantees for persons purchasing such data, i.e. if the hacker does not make the money back from using the contact details directly, the seller of the data will refund the cost of the data to him.
First, one needs to understand how passwords are discovered, which can obviously be in a huge variety of ways, including:
- interception of password whilst it travels over a network
- automated guessing of passwords, which can be done automatically until the password is discovered
- manual guessing, such as knowing information about you through e.g. social media, such as the names of family members and pets etc;
- stealing passwords seen online or offline
- data breaches
- password spraying, which entails trying a small number of commonly used passwords to access a large number of accounts
- using devices which key log passwords e.g. on a PIN machine or a typeboard.
Your password policy needs to tell users:
- that they should avoid choosing obvious passwords (such as the name of a pet or child)
- not to use common passwords – and you might want to include a blacklist of prohibited passwords. It is easy to search online for commonly used passwords
- not to use a password which is being used anywhere else – you might think that your password is not protecting any particularly valuable data for one app or site, but if that is discovered on that site, hackers will be likely to try it on other, more sensitive, sites or apps
- where and how users should store and retrieve their passwords (e.g. in a sealed envelope in a secure cupboard or safe or by using password management software)
- which passwords must not be recorded and emphasise that these need to be memorised.
Also consider whether users should be locked out from accounts after a certain number of login attempts have failed (such as 5). The advice from the National Cyber Security Centre is currently that users should not be required to change their passwords on a routine basis (such as every 3 months), but rather that passwords should only be changed if there is a suspicion or actual compromise of the password.
Passwords should be a minimum of at least 8 characters in length and should not be artificially capped. No maximum password length should be imposed. It is good practice to use a combination of numbers, upper case and lower case letters and symbols in all passwords, as these are less likely to be discoverable to other persons or by automated guessing.
Make sure that you and your team understand these basic rules regarding passwords, and protect yourself and your organisation from exposure of risk online.