World Password Day

Passwords can often feel like the bane of our existence. They're necessary for practically every app, website, and device we engage with, demanding our constant attention and memory. Managing the multitude of passwords required for our daily routines can be overwhelming. And this is why we are all guilty of not managing passwords properly. 

‍

In fact, a recent report from Keeper Security revealed a concerning statistic that 75% of individuals worldwide neglect widely recommended password best practices. Shockingly, 64% either resort to weak passwords or recycle variations of passwords, leaving their online accounts vulnerable. 

‍

Let's not dwell too heavily on the negatives. Instead, let's explore how we can promote improved password management without feeling overwhelmed. 

‍

What Makes a Password Weak?

A password is a crucial component in safeguarding our online security and protecting our sensitive information. However, not all passwords are created equal, and it is essential to understand the characteristics that make a password weak. 

‍

In this section, we will explore the various factors that contribute to weak passwords, such as simplicity, predictability, common usage, and lack of complexity. By recognising these weaknesses, we can take proactive steps to enhance our password strength and fortify our digital defences.

‍

Using Personal Info - Using personal information as passwords poses a significant security risk. When individuals utilise readily accessible personal details such as their birthdate, address, or name as passwords, they make it easier for cybercriminals to guess and access their accounts. The ease of guessing these passwords is alarming, considering how much personal information is now available on social media platforms. Consequently, using personal information substantially increases the likelihood of unauthorised access and theft of sensitive data.

‍

Using the Same Password on Every Site - Using the same password on every site poses several significant risks and can have severe consequences. One of the major risks is that if a hacker manages to crack your password on one site, they can then gain access to all of your other accounts where you have used the same password. This is especially dangerous if you have important accounts, such as online banking or email, as the hacker can gain control over multiple aspects of your life with just one password.

‍

The consequences of password reuse can be devastating. Once a password is cracked, it might be sold on the dark web, where other hackers can purchase it and attempt to access your other accounts. This leaves you incredibly vulnerable and increases the chances of falling victim to cybercrimes, such as identity theft or financial fraud.

‍

Writing it down - Writing down passwords can pose potential risks for security. Firstly, if someone gains access to the physical location where the passwords are stored, such as a notebook or a piece of paper, they can easily obtain the passwords and potentially misuse them. This could lead to unauthorised access to personal accounts, sensitive information, or even financial loss. Additionally, if the written passwords are not kept in a secure and confidential place, they can be misplaced, lost, or accidentally disclosed to unauthorised individuals.

‍

Ways to Create Secure Passwords

Creating secure passwords is essential in today’s digital age. With an increasing number of online accounts and the prevalence of cybercrime, it is crucial to take steps to protect our personal information and safeguard our online presence. In this article, we will explore various ways to create secure passwords that are difficult for hackers to crack. By implementing these strategies, individuals can enhance the security of their digital assets and reduce the risk of falling victim to password-related attacks.

‍

String Together Nonsensical Phrases - Stringing together nonsensical phrases can greatly enhance the strength of your passwords and increase your overall security. Using random words that have no logical connection to each other makes it significantly harder for hackers to guess or crack your password. Unlike common dictionary words or easily-guessed phrases, nonsensical phrases provide an added layer of complexity that is crucial in deterring malicious attacks.

‍

The process of creating a stronger password using three or more random words is fairly straightforward. Start by selecting words that have no personal or logical meaning or connection. For instance, you could choose words like “purple,” “elephant,” and “raindrops.” Then, simply string them together in any order you prefer, such as “raindropspurpleelephant” or “purpleelephantraindrops.” This method ensures that your password is not easily guessable by hackers using common wordlists or dictionary-based attacks.

‍

Use a Mixture of Characters - Using a mixture of characters in passwords is crucial for enhancing security. When creating a password, it is important to combine upper and lower-case letters, numbers, and special characters. This practice significantly reduces the vulnerability of passwords to hacking attempts and enhances overall account security.

What Our Team Had to Say:

‍

In honour of World Password Day, we asked our team members to share their thoughts and tips on password security. Here’s what they had to say:

‍

Chris Burton - Head of Professional Services; “Companies can encourage their staff to manage passwords better through education and technology. Continuously educating the user base on a good password is only half of the equation. When a new password is required, People will likely choose the easiest path, for example, so where a password was previously ‘Password24’, it’s likely that ‘Password25’ will be the first choice. This can sometimes be prevented by providing a password manager; this can take the choice away and generate a unique random password for a user. Along with password managers, companies should enable multi-factor authentication anywhere they can; this provides additional security for when a weak password is selected as it will also require a unique passcode, which is refreshed every 30 to 60 seconds.”

‍

Elly Beal - Cyber Essentials Assessor; “Companies could encourage employees to use ‘secure’ passwords by providing guidance and materials to support their password choices. A good reference for password guidance would be the NCSC ‘Three Random Words’. The use of password managers help to avoid employees storing passwords on paper or in unsecure notepads on their devices.”

‍

Ian Nicholson - Head of Incident Response; “World Password Day should be an excellent reminder of the essential role that strong, secure passwords play in protecting our digital identities and company data. As we are increasingly required to rely on online services, the strength of our passwords becomes crucial in defending against unauthorised access and cyber threats. A great place to start is by using complex, unique passwords for online accounts (think 3 words), and businesses should consider using a password manager to allow employees to maintain and organise them securely. Additionally, supplementing passwords with multi-factor authentication can significantly enhance security measures.

‍

To effectively manage employee passwords, companies should at the very least consider the following:

• Implement Strong Password Policies: Enforce and monitor the use of complex passwords that are changed periodically.
• Promote Password Managers: Encourage employees to use password managers to securely store and manage their credentials.
• Require Multi-Factor Authentication (MFA): Add an extra layer of security by implementing MFA across all sensitive systems.
• Educate Employees: Regularly conduct training sessions to emphasise the importance of secure password practices and how to identify security threats.
• Conduct Regular Audits: Perform frequent security audits to ensure compliance with password policies and identify areas for improvement.”

‍

Josh Hickling - Principal Consultant; “It should be on companies to provide the tools for employees to manage passwords effectively, and password managers are a great way of doing that. They should encourage employees to adopt a culture of passphrases, using a password manager to select at a minimum of three, unrelated words that are different for every service.

‍

This provides two layers of protection to both a company and the employee; Passwords won’t be reused, so if one system is compromised, the breach would be localised, thus, limiting access to potentially sensitive data. Secondly, they have the added benefit that even if password hashes are leaked, the likelihood they are going to be cracked is significantly lower than if they use a predictable password. Ultimately, for something that is extremely low in terms of effort to implement, provides a great benefit in terms of the observed cyber resilience against targeted attacks.”

‍

Nathan Dove - Managing Consultant; “Password managers are essential tools for securely managing and storing credentials, empowering individuals to use strong and unique passwords across all their accounts. While some employees may initially resist changes in IT processes, I would personally pose to these individuals that password managers actually make life easier! These tools can automatically generate complex passwords for new accounts and streamline the login process by allowing you to simply copy and paste stored credentials instead of typing them out manually. Some even support an autofill feature, meaning you don’t even have to click a single button to login to some of your applications.”

‍

For more of our advice on password security and management, have a read through some of our other blogs:

https://www.pentestpeople.com/blog-posts/beyond-passwords

https://www.pentestpeople.com/blog-posts/the-one-thing-youre-forgetting-in-your-cyber-security-routine-a-password-manager

https://www.pentestpeople.com/blog-posts/ultimate-guide-to-office-security-protect-your-employees

‍