Security 101 – Password Security
The humble computer password has been at the forefront of security practices since the very inception of the IT industry. They have (arguably) proved the most effective method in securing information and validating the identity of a particular user.
However, many simple and sophisticated methods exist (e.g. Brute force attacks, Cross Site Scripting, SQL injections, Man-in-the-middle, Phishing, Social Engineering, Malware, just to name a few) that are commonly used to compromise or gain access to people’s passwords.
The creation and maintenance of a secure password is dependent on many factors. It relies on a combination of measures from both the user/client and the provider/server. A small weakness in any component on either side can lead to a vulnerability and potential attack or exposure.
Consequently, we have put together the Top 10 actions that people can do on the user side to increase the security of their passwords:
1. Always use a secure connection (SSL/https)
When signing up to a new site/application/service or logging in to an existing site, always check the page is using a Secure Socket Layer (SSL). SSL encrypts the information sent between a browser and a server. It essentially prevents any eavesdropping or interception of user input, data or transmissions made over the connection. It is a secure method of protecting information (i.e. login, passwords, payment details, comments etc.) entered in a browser.
2. Be careful where you enter your password
There are many websites specifically set up to capture/steal your passwords. Some are made to look, feel and mimic the actions of other legitimate websites. If you have any concerns about a website, do not submit any sort of password or personal information.
Additionally, avoid entering passwords into publicly accessible computers or mobile devices. These could be infected with malware designed to capture password information.
3. One password per application rule
Once a password has been uncovered on a less secure site, it is common practice to try that same password on other potential sites where a user may have an account. Using a different password for each site/application/account dramatically reduces your overall exposure should one of your passwords be discovered.
4. Character Length – 12 is good…16+ is better
A longer password exponentially increases the number of possible combinations an attacker would have to try in order to get it correct. The more combinations the longer time it takes to crack a password through brute force.
5. Character complexity
Similar to character length, utilizing a combination of letters, numbers, upper case, lower case, punctuation, special characters, symbols etc also increases the number of possible combinations a password could take. Again, this would mean a significantly longer time to discover a password using brute force.
6. Passwords to avoid
Avoid passwords using words that can be found in the dictionary (to circumvent dictionary attacks), contain a sequence of letters or numbers (e.g. 1-2-3-4-5-6; p-q-r-s-t) or those that include personal information such as your date of birth/telephone number. Attackers know all of the commonly used passwords such as q-w-e-r-t-y and substitution tricks such as p-a-$-$-w-o-r-d.
7. Change passwords periodically
This is an interesting one. There are some benefits in changing your passwords regularly. However, an average internet user can have over 40 plus accounts and passwords. Changing these monthly, for example, can be a burden and lead to practices such as incrementing. e.g. password1, password2, password3 etc. A common sense approach to the frequency of changes required will yield the best results.
8. Protect your devices against malware
Malware is a generic term that describes a wide variety of malicious software. Malware can be used by attackers to identify sensitive information on your devices such as passwords. There are many practices you can undertake to minimize the risk of a malware infection – anti-virus software, keeping browsers up-to-date, keeping your operating system up to date, not downloading suspicious files etc.
9. Store passwords securely
The reality is password management is an individual thing. Some people can memorize all their necessary passwords and have their own unique algorithm for updating them. Others write all their passwords on a piece of paper or store them on a USB. Whatever your system, ensure they are kept somewhere securely. A contingency plan is also necessary for things like “…I just spilled coffee over my password sheet and now I can’t read it”
10. Ask your provider what security measures they have on password protection
Ok so your provider probably won’t give you specifics about what methods they use. However, their response may give you an indication on how seriously they take security. As mentioned previously, password protection and security is a shared responsibility between a user and their provider.
If you have any other tips to add to this list please let us know.