17th January '18
If there’s one thing that I’m sure most people would say is a necessary inconvenience, it would be the good old-fashioned password.
Since the dawn of computing, people have been using passwords to restrict access to their important systems, but as time passes by this basic security mechanism has become increasingly long in the tooth, and several recent high-profile exposés of its weaknesses have done it no favours – yet they’re so entrenched in everything that we do on our computers, they’re unlikely to go away any time soon.
So, what can be done?
Before we can go into that, we need to understand what’s wrong with them – or, more accurately, what is wrong with the way that passwords are used by most people:
We’d be willing to wager that anyone reading this article is, or has been, guilty of re-using the same password in multiple places. We’ve certainly been guilty of this in the past. Many people have a “system” whereby they use a different password based on the perceived “value” of the resource to them – so, they may use a good, strong password for their banking services, but a weaker, easier to remember password for social media or ecommerce websites.
However, the truth is, that re-using the same password even once means that you may as well be handing out access to all of the accounts that use that password to any sufficiently determined hacker – that password may have already been compromised – even if you’ve not been hacked, or not caught a virus, if any website with that password combination has been breached, those credentials are available to anyone who knows where to look, and the sophisticated “botnets” that continually crawl other websites attempting to login with stolen details certainly do know.
You can check if your email address or login username has been compromised in any public data breaches at Troy Hunt’s excellent website haveibeenpwned.com – most people will almost certainly be listed in this database at least once!
There are a lot of misconceptions surrounding password strength. Often you’ll see advice saying that you should use uppercase letters, lowercase letters, symbols and numbers all in the same password – and although there is some truth to this, the key element to a strong password is simple – length.
The longer a password is, the harder it is for computers to attempt to crack them. Even just using a simple phrase made up of a few unrelated words can be a strong password (the classic example used everywhere for this is “correct horse battery staple”), although if you are going to use a passphrase like this, it is best to change things up a little bit with uppercase letters, symbols and numbers as this can help prevent “dictionary attacks” – where hackers try millions of combinations of dictionary words quickly to try and find a match.
We always recommend to our clients that a password should be at least 12 characters long – and we use 16 characters as a base. That said, if your chosen password appears on this list of the top 1,000 passwords (and, according to that page, 91% of passwords found in data breaches do!) then you definitely need to pick another one.
I’m sure you’re now asking, “how am I supposed to remember a 16 character password?” – well, read on…
Poor password management
One of the reasons people re-use passwords so often is because no-one wants to have to remember a million different passwords for each of their accounts and services – and nor should you. Having to remember that many passwords is difficult for the vast majority, and leads to situations like that seen in the Operations Room at Hawaii’s Emergency Management Agency just yesterday. Hot off the heels of them mistakenly sending an emergency broadcast to millions of Hawaii residents warning them of an impending nuclear strike, they were interviewed on TV and you can clearly see they write their passwords on post-it notes and attach them to monitors in their office – something that any IT professional is likely familiar with, and something that should absolutely not be allowed under any circumstances!
The answer to password management is to take the hassle away from you and use a dedicated password management tool.
Proper Password Management
The principle behind password managers is that you have one single password (called your Master Password) that you can remember. This should be very strong, as it is basically the key to your electronic front door. Gareth’s master password for his password management tool is nearly 30 characters long, for example.
You then store all of your other passwords in the password manager, and use the tools it provides to automatically fill in login prompts on websites and other services with the password that it has saved in its database.
In an ideal scenario, all of the passwords in your password manager would then be completely random strings of characters (and indeed, all password managers give you tools to generate secure passwords) – this way, none of your passwords are re-used, so if one of them gets compromised, the damage is limited to just that account.
There are many different password managers available – 1Password, LastPass and Dashlane are three popular online password managers, while KeePass is an open-source tool that lets you store your passwords on your own storage, e.g. in Dropbox.
What else can you do?
There are a number of other elements to account security that can help you keep your accounts safe. Probably the most commonly known is two-step authentication (commonly called two-factor authentication, although for various reasons that we won’t get into here, it doesn’t strictly fit that definition) – in most implementations, this is where you are sent a link via email to verify your login, or a text message to your mobile phone containing a code that you must enter in order to continue with the login.
Enabling two-step authentication on your accounts is a great way of almost nullifying any practical risk to their security. It doesn’t protect against that service being breached, of course, but it does mean that should someone manage to login to your account with the correct password, they can go no further unless they have access to your email or phone. We always recommend enabling two-step authentication wherever possible.
What does the future hold?
Passwords have been around for a long, long time. As much as we’d like to see them go the way of the dinosaurs, it seems unlikely it’s going to happen any time soon. In an ideal world, passwordless authentication would be the default method of identifying yourself – for example, you would just be able to login with an email address and the service provider would then send an email to you with a link to complete your login. Technically speaking, this is arguably less secure than using passwords – but until the vast majority of users stop using (and re-using!) weak passwords, it’s a better option.
Biometric security systems – fingerprint scanners, face scanners, retinal scans etc. – are also increasing in popularity, but these have their own drawbacks. Apple’s FaceID system (found on the new iPhone X) has come under intense scrutiny since its release, with a number of shortcomings already being found.
Need any advice?
We don’t pretend to be the font of all knowledge when it comes to information security, but we do like to think that we know a thing or two. If you have any questions about any of the above, feel free to drop us a line.