We all know how important it is to have strong password management. Every time you’ve signed up for something new over the past decade or two there has been increasingly difficult requirements to meet. Using uppercase and lowercase for a password that is at least 8 characters long, chucking a number in somewhere, which is normally just putting a 1 at the end, and now a special character too. That’ll be “1!” finishing off a password then?
These passwords are indeed more secure, depending on the method a hacker uses to try and break your password. If a hacker tries to brute force your password, which is basically trying every possible combination of letters really quickly until one of them works, it probably isn’t going to get a password such as “Nutbourne123!” (Not one of our passwords by the way!). However, if it were one of our passwords and someone were to try and guess at the password, they are much more likely to get it. Many people use their company’s name as part of their passwords, which is bad practice, as hackers are aware of this trend.
Trends are very easy to spot when you take a look at one of those “worst password” lists that are published every year. As we say, simply adding a 1 to the end of a word, your company name, or even your own name, is the most common. Others include consecutive numbers going up or down, brand names, variations on “QWERTY” and different sports, amongst many more.
With so many trends to avoid and just as many requirements to meet for you password security, how are you supposed to make a password secure whilst still being memorable?
Making a secure, but memorable password
You may think this isn’t an issue because you can just write them down. Unfortunately, this greatly increases the security risk towards the account. It’s like leaving a key under your doormat. Don’t be surprised if someone gets in.
Luckily, we actually find it quite easy at Nutbourne to remember passwords that are a factor of millions harder to crack… and so can you. Each character you add on to a password increases the entropy of the string, essentially making it harder to brute force. Every year, commercially available computers are getting faster and faster. If a hacker splashed out on a super-fast set up, even 8-letter passwords can be cracked within less than 3 months.
This is why we advocate for making a passphrase. This could be a few words, such as MarcusAeroplaneHotdog or CaptainHappyTownFace. These are much more memorable than complicated 8-character strings like P\x8Aq1$ and they take about the same amount of time to type! As an added bonus, any current machines trying to crack these would take approximately… until millions of millennia after the sun explodes. In other words, they’re not getting cracked.
To make the most of this, you should be using a different password for every site/service you use. This is to combat the effects of phishing attacks. If someone manages to get one of your passwords through phishing, hacking or otherwise, they won’t be able to access any of your other accounts if you’ve only used it in that one place.
Yes, this may make it a little difficult to make each password memorable, but there are plenty of tricks you could use to remember. Perhaps you could make use of something linked to the site. For example, if you need to make a password for a Microsoft account it could include the word “Gates” in reference to Bill Gates. UncleBarbecueGates?
2-Factor Authentication
Now, although we say that we advocate this structure for your passwords, this is only one line of defence. It does still leave you vulnerable to phishing/hacking attacks, even if it is only to one site/service. To combat this, you can use 2-factor authentication (2FA). This means when you log in you will receive a prompt to enter a second form of verification. This could be anything from a text with a generated code, to biometric data like a fingerprint or face detection.
This can receive a lot of pushback as some people see it as an inconvenience, but in reality, it is a very quick process, with many different methods to achieve it. You can even set it so you only have to do it once when you sign in at the start of the day; perfect for SaaS solutions like O365 where you can access many services with one log in. This should be a priority to introduce at your business if it is not in place already. Any inconvenience will be far outweighed by the added security it provides.
So, is 2FA the ultimate protection for passwords? We don’t think so. There’s still one more thing you should be considering for your organisation.
Password Manager
A password manager is a program that will allow you to generate massively complicated passwords and you won’t have to remember a single one of them. It stores these in a safe, encrypted password vault and then can automatically put them into sites for you. Obviously, you will need to enter a password to access this vault, but again, it could be replaced with a fingerprint or face recognition if you use a compatible mobile device.
We recommend using a cloud-based password manager so you can access your passwords whenever you need them. There’s no need to install anything or have a specific device with you to access passwords, which could be a real pain in some scenarios. Imagine if you lost the device or it broke down. You’d be locked out of all your accounts!
So, to recap:
- Activate 2-factor authentication for every service that you can.
- Use a different password for everything.
- Use a password manager to easily control several complicated passwords.
- If you don’t use a password manager, make sure you use strong, memorable passwords that can not be brute forced.
Contact Nutbourne
So, if you’d like to find out more about our cybersecurity services or our work more generally as a London managed service provider, then get in touch! Contact Nutbourne today on +44 (0) 203 7273 or by filling out an enquiry form on our website.