05/12/2014

By Trey Ford, Global Security Strategist, Rapid7


Passwords are the first line of defence against cybercrime, and as we live so much of our lives online, we have become dependent on the password to keep our most private data secure. Passwords can be a point of serious frustration for users, as they’re required to secure access to hundreds of services and applications such as Facebook and Twitter.

The difficulty comes with trying to remember copious numbers of passwords. We already know it’s crucial to pick strong passwords, and that they must be different for each account, so how is it possible to remember so many different character and number combinations? The answer is that we don’t.

Most users opt for the easy route - using the same password for everything, and it’s likely that they adopt the same approach in the workplace. Using the same password for each account is like using the same key for your home, the office, and your car.

On top of this, users can be very laissez-faire when it comes to keeping that password secure - writing them on post-it notes, listing them on a sheet of paper on the desk, storing them in their phone’s address book, or even sharing with colleagues.

Despite recent security breaches such as the iCloud hack, which breached a number of celebrity passwords, they are still the fail-safe option, and possibly the most dependable form of security when it comes to providing a manageable, enforceable control for all users.

The Importance of Passwords
Passwords form the most basic level of protection for the information you are storing online, be it your personal Facebook account, your online banking site, or your business email. While it is tempting to make your password simple and easy to remember, or write it down so as not to forget, it is important to remember why we have them in the first place! Using secure passwords is an important step to making your personal data and online identity harder to compromise.

Once attackers have your password, they have access to your account and any information stored in it. From there, they can do any number of things, and what was intended, as a form of protection could become a threat in itself. For example, if you use the same password across multiple sites, once an attacker has compromised your information on an unimportant one, they can turn around and use it on a site of high importance and value.

You may use different passwords, but the same security questions. Hackers can very easily find the information for your security questions and initiate a fake “change password” request using your information and ultimately lock you out of your own accounts.

Creating long, complex passwords that are unique for every service you use is a challenge, and remembering them all is an even bigger challenge. However, easy to remember passwords are also easy to crack, making it easy for cyber criminals to steal your identity.

How do I manage strong passwords?
Data breaches may well be out of our control, but it's imperative to create passwords that can withstand the risks associated with these and with those out to get their hands on our personal data. Securing against a potential attack is dependent on the complexity of your password.

There are a number of things you can do to reduce your risk and increase the protection offered by passwords.

· Make passwords long and complex, ideally each of your passwords would be at least 16 characters, and contain a combination of numbers, symbols, uppercase letters, and lowercase letters. Shamefully, not all sites have enabled this yet, so it may not always be possible, but do it where you can. Try stringing unconnected words together and mixing up the letters, numbers and special characters to make them harder to guess.

· Don’t reuse passwords. It is very difficult to remember unique passwords across everything. You can tackle this by using something like KeePass, 1Password, LastPass, or countless others which securely stores your passwords. All you need to remember is the password for your password safe account. If you do reuse passwords across sites, be vigilant for any suspicious activity and at the first sign of trouble, change the password on any other sites where it was used. If you recycle the same password and a hacker cracks one account, it could result in them accessing all accounts.

· Popular advice is to change passwords frequently. Yes, it’s a hassle, but if an attacker has gained access without you knowing, it stops him from being able to keep coming back over and over again, so do so at least annually, or any time you think about it.

· Enable two-factor authentication. Where possible, choose services that offer two-factor (sometimes called two-step) authentication and enable it. The way this typically works is that it combines something you know (your password) with something you have (e.g. a generated code sent to your phone) to provide a double layer of protection.

· Never use a default or provided password. Many devices and applications come with default passwords set up. You need to change these as soon as possible during your set up process. Using a default password is the same as using no password at all.