Last month you may have noticed Star Wars Day on the 4th of May (“May the Fourth be with you”) but you may have missed World Password Day which occurred a few days later. It’s on the first Thursday of May.
The original idea came from famed security researcher Mark Burnett. He encouraged people to institute their own “password day” once per year, where they would update all their accounts with a new, random password.
Humans being what they are, no one could really be bothered, and the idea remained dormant for the better part of a decade.
However as businesses were hit harder by hackers, semiconductor giant Intel took up the idea again in 2013 as part of its ongoing security initiatives. From that point onwards the event has grown amongst tech industries.
Server attacks have been increasing, year on year, as security companies and hackers constantly play catch-up with each other. One of the most alarming developments is ransomware, which encrypts your data until you pay a ransom. Ransomware often targets medium-sized businesses, medical institutions, charities and schools. Which are large enough to extort but have significant points of weakness through many non tech-savvy staff.
Whilst wanting everyone to use the most secure random strings of characters, we have to be realistic about the social aspects and the need for convenience when using passwords. A move by some companies to automatically lock people out of systems unless they changed their passwords every 90 days ended up degrading security as rushed employees often used weaker or reused old passwords. Passwords rules need to be pragmatic or people will not adhere to them.
Here are our top tips for passwords:
Passphrases not Passwords
For ‘bruteforce’ attacks, length of password is actually more important than complexity of characters. So choose a password at least 16 characters long, (most sites ask for 8 characters).
Mix Them Up
Mix Uppercase, Lowercase and special characters such as !# – but be aware that if you are travelling and have to use a foreign keyboard, you may not be able to find some characters like £.
Be Anti-Social
It is not just birthdays, but many people use pets names, cities, hobbies, bands and sports references that can be gleaned from their social media accounts. Use memorable words not associated with you or your institution.
Need to Know Basis
Restrict access and audit your users.
Accounts with less users are more secure and easier to investigate if there is a problem. Remember to remove user accounts from staff that have left the school and only give top-level permissions to staff that need them. For example on our websites we assign different permissions to administrators of the site and editors who only need limited access to do their work. Feel free to discuss this with us.
Different Passwords for Different Things
90% of people use the same 5, or less, passwords for all their accounts. It is unrealistic to use a different password for every account, but you should at least have different classes of passwords for different activities. It is not so bad if your Netflix account gets hacked, unless you use the same password for your bank. Naturally, have different passwords for personal and school accounts.
Single Passwords are Dying
Most in the tech industry think single passwords as we use them now have reached the end of their shelf-life and that we will need more diversified approaches to security. Biometrics such as fingerprint and facial recognition are already becoming commonplace.
MFA – Multi Factor Identification
Multi Factor Authentication should be used where available. Also known as two-factor authentication (2FA); for example when you log into a website and you also receive a passcode on your phone to continue.
Password Managers
You may already be using password managers such as Apple’s Keychain or Chrome’s inbuilt password manager.
Third party password managers can generate different, secure passwords for all your accounts, that you won’t have to remember as the password manager will handle them for you. Here are some of the most popular ones.
Act Now
It is always distressing to deal with a hacked computer or website. The panic of not knowing if you have lost years of work, or even worse, compromised personal or financial details.
Strengthening your passwords regularly is the best personal action you can take to reduce the risk of getting hacked.
You can check out the strength of your passwords at sites such as:
- https://howsecureismypassword.net/(This tool calculates how long it takes for a computer to crack the password. )
- https://www.experte.com/password-check(This tool calculates how long it takes for a computer to crack the password. In addition, it checks whether the password has appeared in a data leak in the past.)
Change your passwords today! and we’ll remind you again next World Password Day. #StaySafe
James Dolan
123ICT Websites & Product Development