With 81% of company data breaches for companies in 2018 due to not using strong passwords, it’s increasingly important to take every step possible to stay safe when conducting transactions online.
But what exactly is a ‘strong’ password and what options are available to help ensure that your sensitive information remains secret and safe? Let’s explore further…
When we are asked to come up with a password, it will often involve something that is easy for us to remember – such as a string of words or numbers that mean something personal to us. These are ‘weak’ passwords that are often easy to guess for individuals attempting to gain access to your account or personal information.
A strong password is one that is difficult or impossible to guess. The best strong passwords are ones that are at least six characters long, combine upper-and lower-case letters, numbers, and do not hold any words that can be found in the dictionary or can be figured out by examining your social media profile.
Simply put, passwords are deployed to protect information or functionality that is personal to you or should not be available to the general public. Passwords are used on a number of different sites from personal email accounts, online banking details, private business logins, commercially sensitive file-sharing platforms, and much more.
A weak password means that a suitably motivated individual can access this information with ease and personally profit. At the lowest end of the scale, this means the inconvenience of having to update your personal passwords and site details. At the other, you can be at risk of losing significant savings from your account, be subject to fraud, or be personally responsible for data loss for your business.
While password creation and maintenance can be consuming, it is always worth remembering that it will involve a fraction of the time and stress involved with resolving a data breach or attempting to refund any money stolen from your account.
If you are personally responsible for keeping your information secure, it is essential that you deploy strong passwords and have a broad awareness of dos and don’ts when it comes to creating them.
Most people don’t do this at all - did you know that the top 5 most common passwords are:
(according to the UK's National Cyber Security Centre (NCSC) in 2019)
Not using 123456 as your work email's password? Great. But even then there is a good chance your passwords are not secure. Take a look at these examples.
A common trick for bypassing passwords is to use a ‘brute force’ hack. Depending on the setup of the system, intruders with access to your social media will apply your initials, that of relatives, or pet names. If it can be found in a book, it shouldn’t be in your password.
Never use the same password on multiple sites. If an intruder gains access to your account, their first port of call will be to try your login id and password with other accounts that are linked or could be attached to your account. In addition, never share your password with another friend or colleague as this will exponentially increase your risk of a breach.
While it may be possible to determine what your password is over time, changing it regularly will make it more difficult for others to guess it. It’s advisable to change your password at least once a month and use password tracker software to keep tabs on your new password. Never physically write your password down and, of course, sticking it onto your monitor or laptop with sticky notes should not happen!
Any good site will ask your to regularly change or verify your account password. Companies like Amazon or eBay will ask you to attach a mobile phone number to your account and send one-use passwords or verification or alert messages if a user with a new IP tries to access your account.
The need for higher online security has been taken seriously in the past years. In September 2019, new European regulatory requirement called Strong Customer Authentication (SCA) took effect. SCA’s purpose is to prevent and reduce fraud and make online payments more secure.
Ideally, most sites you use should enforce the creation of a strong password on their system. Ideally this should involve the following steps.
If this is not the case, we would always advise that you follow these steps anyway and make the extra effort to ensure that your online security is given top priority.
It is also worth using a password protector service such as KeePass to store your account information in one secure place. These often come with random key generators to help quickly and securely create high-strength passwords and prevent unwanted access to your personal and professional accounts.
Multi-Factor Authentication (MFA) is the new gold-standard for site security when you’re looking to keep your account passwords safe.
This a security system that asks anyone accessing your account for multiple unique credentials to prove exactly they are who they say they are. Depending on how you want to set it up, this can include push notifications to your mobile device, a request for fingerprint ID, or a unique additional security question. Smart devices such as iPhones have even started using facial recognition or the potential for retinal ID as an added plus.
One-time passwords are also an extra layer of security that can be implemented. If you want to learn more about how this can help, you can check out our recent blog on one-time passwords and find out how it can contribute to your personal security online.
If you want to keep your account secure online, applying MFA in combination with a strong approach to password security is a hugely helpful way to keep your personal information out of unwanted hands.
This means choosing regularly updated, long-form passwords that are created according to recognised best practice. It is also helpful to look into using MFA to keep your accounts secure and staying abreast of industry best practice, as the internet never stands still…and neither should you.
If you're developing an application and want to enforce MFA, please contact us at 10Duke.