Passwords are just that, they allow you entry and the passing of a security process with knowledge-based identification, just because a password has been used to gain entry into a masonic lodge, at a birthday party celebrations or an online email account, it does not mean the current possessor of the password is the actual owner of the account.
Passwords are handy for quick and easy access but not entirely secure, most people never change their passwords and some use the very same one across many accounts
A survey by the UK’s National Cyber Security Centre found the most common passwords used belonging to accounts that were breached (worldwide), following are the top 25:
123456 (23m accounts)
123456789 (7.7m accounts)
qwerty (3m+ accounts)
password (3m+ accounts)
The survey also found that sports teams and the names Ashley, Michael, Daniel, Jessica, and Charlie were used frequently, swear words are also pretty popular.
Using the same password over multiple accounts is not advisable, if a hacker or phishing party should get into your Gmail account using the one password, they will be able to access the rest of your online life as the same password is being used, eBay, Amazon, your online banking…
Ian Levy, NCSC Technical Director, said in a statement:
“Password re-use is a major risk that can be avoided – nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favorite band,”
“Using hard-to-guess passwords is a strong first step and we recommend combining three random but memorable words. Be creative and use words memorable to you, so people can’t guess your password,”
Try to use common words only you would know and then adding special characters, you could start off with redskydawning and change it to r3dskyd4wning – the original password would have taken a single computer two years to hack using a multiple word dictionary brute force attack, the amended password with just two characters changes to numbers would take the same machine 2 million years to crack.
Premier League football clubs and NFL team names were being used as well as those of superhero characters, superman was the most common. Days of the week did not get away lightly with Sunday being the most used and, August, the most used month.
Ideally, we should be using a different password for every account that we log into. This is Ok for a handful of accounts (remembering the username too), but once the list of passwords becomes extensive it can be hard to keep up with them all, this is where a password manager comes into play, there are many available, some are free, some require a subscription.
I use LastPass personally, there are internet browser extensions as well as dedicated apps available for mobile phones and smart devices with the passwords being stored in an encrypted format, there is a master password for the manager if you should get locked out.
When registering for an online account, LastPass can auto-generate a secure password using alphanumeric and special characters for use, it then saves the credentials including the username and secure password which can be called upon as required across your devices (with an active internet connection).
There are some hardware keys that are available too, whatever system is used you should make sure to occasionally change your passwords as occasional breaches of usernames with the corresponding passwords are made online, they are then made available for sale to scammers.
You should also think about integrating a Two Factor Authentication (2FA) security policy, apps are available for computer and mobiles like Google Authenticator, Authy, and others.
The software displays ‘tokens’ that are a set of characters or numbers, they are based on a time based one-time password algorithms, initially, you scan a QR code or enter a 2FA seed in plain text, after setting up and entering the newly created key, there is only a certain amount of time before the key changes, it is time-based and uses advanced algorithms including your hardware device ID as well as some other details.
If in the case of a scammer getting your username and password correct, they will not be able to proceed further without the 2FA key, Two-factor Authentication is offered for most online services including Gmail, Amazon, Facebook, and some financial services.
Be sure to back up your initial 2FA access codes as per new account you set up, if you should lose the 2FA device which the software is installed on, it can be a mobile phone, laptop or smart flat panel ‘tablet’ – you will be able to restore your 2FA tokens for entry on another device at least enabling secure access to your different accounts.
We will talk about 2FA in more detail in time.
For now, perhaps you should have a think about securing your passwords and definitely change them if they are the same across multiple accounts. I hope this info helps to secure your daily personal and working environments.