The Lowdown

17th January '18

cybersecurity passwords security

Effective Password Management – How Should It Be Done?

If there’s one thing that I’m sure most people would say is a necessary inconvenience, it would be password management.

Since the dawn of computing, people have been using passwords to restrict access to their important systems. But as time passes by this basic security mechanism has become increasingly long in the tooth, and several recent high-profile exposés of its weaknesses have done it no favours. They’re so entrenched in everything that we do on our computers, they’re unlikely to go away.

So, what can be done?

Before we can go into that, we need to understand what’s wrong with them – or, more accurately, what is wrong with the way that passwords are used by most people:

Password re-use

We’d be willing to wager that anyone reading this article is, or has been, guilty of re-using the same password. We’ve certainly been guilty of this in the past. Many people have a “system” whereby they use a different password based on the perceived “value” of the resource to them. They may use a good, strong password for their banking services, but a weaker, easier to remember password for social media.

However, the truth is, that re-using the same password even once means that you may as well be handing out access to all of the accounts to a determined hacker. That password may have already been compromised, even if you’ve not been hacked. If any website with that password combination has been breached, those credentials are available to anyone who knows where to look. Sophisticated “botnets” continually crawl other websites attempting to login with stolen details, which is a worrying thought.

You can check if your email address or login username has been compromised in any public data breaches at Troy Hunt’s excellent website.Most people will almost certainly be listed in this database at least once!

Weak passwords

There are a lot of misconceptions surrounding password strength. Often you’ll see advice saying that you should use uppercase letters, lowercase letters, symbols and numbers all in the same password. There is some truth to this, but the key element to a strong password is simple – length.

The longer a password is, the harder it is for computers to crack them. Even using a simple phrase made up of a few unrelated words can be a strong password (the classic example used everywhere for this is “correct horse battery staple”). If you are going to use a passphrase like this, it is best to change things up a little bit with uppercase letters, symbols and numbers as this can help prevent “dictionary attacks”. This is where hackers try millions of combinations of dictionary words to try and find a match.

We always recommend to our clients that a password should be at least 12 characters long. We use 16 characters as a base. That said, if your chosen password appears on this list of the top 1,000 passwords (and, according to that page, 91% of passwords found in data breaches do!) then you definitely need to pick another one.

I’m sure you’re now asking, “how am I supposed to remember a 16 character password?” – well, read on…

Poor password management

One of the reasons people re-use passwords so often is because no-one wants to have to remember a million different passwords for each of their accounts and services – and nor should you. Having to remember that many passwords is difficult for the vast majority, and leads to situations like that seen in the Operations Room at Hawaii’s Emergency Management Agency just yesterday. Hot off the heels of them mistakenly sending an emergency broadcast to millions of Hawaii residents warning them of an impending nuclear strike, they were interviewed on TV. You can clearly see they write their passwords on post-it notes and attach them to monitors in their office. Something that any IT professional is likely familiar with, and something that should absolutely not be allowed under any circumstances!

The answer to password management is to take the hassle away from you and use a dedicated password management tool.

Proper Password Management

The principle behind password managers is that you have one single password (called your Master Password) that you can remember. This should be very strong, as it is basically the key to your electronic front door. Gareth’s master password for his password management tool is nearly 30 characters long.

You then store all of your other passwords in the password manager. You use the tools it provides to automatically fill in login prompts on websites with the password that it has saved.

In an ideal scenario, all of the passwords in your password manager would then be completely random strings of characters. All password managers give you tools to generate secure passwords like this. It is a great way to ensure that none of your passwords are re-used. So, if one of them gets compromised, the damage is limited to just that account.

There are many different password managers available – 1Password, LastPass and Dashlane are three popular online password managers, while KeePass is an open-source tool that lets you store your passwords on your own storage, e.g. in Dropbox.

What else can you do?

There are a number of other elements to account security that can help you keep your accounts safe. Probably the most commonly known is two-step authentication. This is where you are sent a link via email to verify your login. A text could be sent to your phone containing a code that you must enter in order to login.

Enabling two-step authentication on your accounts is a great option. It doesn’t protect against that service being breached. But should someone manage to login to your account with the correct password, they can go no further. That is unless they have access to your email or phone. We always recommend enabling two-step authentication wherever possible.

What does the future hold?

Passwords have been around for a long time. As much as we’d like to see them go the way of the dinosaurs, it seems unlikely it’ll happen soon. In an ideal world, passwordless authentication would be the default method. For example, you would login with an email address and the service provider would send an email to you. Technically speaking, this is arguably less secure than using passwords. But until the vast majority of users stop using (and re-using!) weak passwords, it’s a better option.

Biometric security systems such as fingerprint scanners, face scanners and retinal scans are becoming popular. These have their own drawbacks. Apple’s FaceID system (found on the new iPhone X) has come under intense scrutiny since its release, with a number of shortcomings already being found. But, it is a good place to start when looking at alternatives to passwords.

Need any advice?

If you have any questions about effective password management, feel free to drop us a line.

< read more >

Online identity fraud and how to protect yourself

Scam artists have been working to defraud others pretty much since the concept of currency and bartering was invented. With the creation of the Internet came the perfect tool for scam artists to target millions of potential victims, so it’s important to learn how to keep yourself safe.

The good news is that it’s not as hard as it may sound – all it takes is some common sense and vigilance, and some anti-virus/Internet security software to act as a safety net.

Signs of a scam

So, how do you know when someone is trying to scam you or steal your identity? Here are some sure signs to look out for.

E-mails from organisations that you don’t recognise

If you receive an e-mail from a company/organisation that you’ve never had any dealings with, then read the e-mail very carefully and if there are any attachments on the e-mail, don’t open them.

If the e-mail is asking you to supply any sort of personal detail, or banking information, passwords etc. then it is best to assume that it’s a scam e-mail.

If you’re in any doubt, simply go to the organisation’s website and find their phone number, and then give them a call to check if the e-mail is legitimate. Any organisation should be thankful for your call, so don’t feel embarrassed.

E-mails that don’t refer to you by name

Scam artists generally only have a list of e-mail addresses to work from, they very rarely know the name of the owner – so scam e-mails often start with a generic “Hello” or “Dear Sir”.

Most organisations, if they have need to e-mail, will refer to you by name, e.g. “Hello David” or “Dear Sarah” and often your full name.

E-mails with spelling mistakes and poor use of English

Read any e-mails that you receive carefully. If there are spelling mistakes, or any paragraphs that don’t make sense, this is often a sign of a scam e-mail. Many scams originate in foreign countries where English is not widely spoken or written.

E-mails offering something that sounds too good to be true

There’s an old saying that if something sounds too good to be true, it probably is – and it is never more true than with scams on the Internet.

The classic scam is for an African prince to e-mail with a sad story of a relative’s death, and a complication in the will meaning that to access their vast fortune they have to send it via a third party – and they want you to be the go-between in return for receiving a substantial cut of the money.

If someone came up to you in the street with a similar story, the chances are you’d laugh and blow it off as a joke – yet often people fall foul of these scams online.

Most scams like this also fall foul of the first three rules on this list – so stay alert!

Can you do anything to protect yourself against scams like this?

Yes, you can. Some scams rely on the victim opening attachments on scam e-mails, which will infect their machine with a virus and set the scam in motion. You can protect yourself against these by installing an anti-virus package on your computer or, if you already have one, by ensuring that it’s kept up to date.

Windows 8 from Microsoft includes a good anti-virus package as standard, and Microsoft also provide a free one for Windows 7. There are other good software packages available, some free and some that cost a small amount to purchase, typically around £25-30.

Apple computers are generally more resistant to viruses and other nasty software, both as a result of their lower popularity in the computing world as a whole and the robustness of their operating systems, but it always pays to be safe so installing anti-virus may be worthwhile.

You can also protect yourself in other ways – make sure that the passwords that you use for your online activities (especially banking!) are strong – use a combination of letters and numbers, and ideally use both upper case and lower case letters. If you have difficulty remembering passwords, then you may find it easier to use a passphrase instead – a short sentence that is memorable, for example “MyCatLikesWhiskas” or “ANiceCupOfTeaAndASitDown”. Scammers rely on people choosing easy to guess passwords, so do your best to make yours are harder to guess!

Further reading

Warwickshire Police and West Mercia Police have today launched their #BeCyberSmart campaign which has lots of information on scams and how to protect yourself – and of course, the police can provide advice over the phone if you have any doubts about an e-mail you’ve received.

Visit the #BeCyberSmart campaign

< read more >