+44 (0)203 88 020 88

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

Top tips for World Password Day 2021

Today is World Password Day – the annual reminder to review your password hygiene and consider how to improve the strength and security of your passwords. Here are our top tips to improve your password security – at home and at work.

Bill Gates predicted the demise of the password back in 2004 saying:

There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.

However, the number of passwords a typical user must manage has increased significantly in the last decade, as has the number of software vulnerabilities and attacks that result in the compromise of passwords.  Here are six practical steps you can take to improve your password security.

 

Use a different password

Password re-use is one of the biggest dangers of password-based systems. Even though most users acknowledge that re-using passwords is something to avoid, research suggests that at least 50% of people do it anyway. Because passwords end up leaking or getting compromised one way or another, the value of the stolen password is greatly increased if it also provides access to additional systems.

It’s not just the innocent victims of cybercrime who suffer because of password re-use.  Security blogger Brian Krebs reports how a cyber-criminal hatched a plan to incriminate Krebs by buying drugs on the dark web, posting them to Krebs and then reporting him to the police. However, the criminal used the same password on his private email as he did for the admin account of his dark web hacking forum.  The forum software was hacked by other criminals and the passwords exposed and picked up by law enforcement authorities. The police were able to reuse the password to read the criminals email account – which also include receipts for purchases and details of his home address allowing him to be tracked down and arrested.

Use a password manager

Passwords get re-used because it is hard to remember lots of different passwords.  A typical person has 80-100 passwords in their life – more if you include work related passwords.  A password manager (or password vault) is a software utility that securely stores all your passwords along with the web address or other details of the system it relates to.  The password vault itself is encrypted and the key to unlock it is the one password you need to remember.

Some enterprise password managers include features to track and log when a password is used and provide mechanisms to securely share passwords between vaults without ever revealing the password to the end user.

Like any mission critical software, password managers need to be chosen carefully and managed in order to protect against supply chain attacks like the recent compromise of the update mechanism for the Passwordstate utility.

Don’t force regular password changes

While some regulatory regimes require regular changing of passwords (such as PCI-DSS), the guidance for general users has shifted in recent years to recommend that passwords are only changed if there is a concern that the password has been compromised.

The rationale is that forcing frequent changes causes users to select less secure, easier to remember passwords resulting overall in a reduction in security.   According to the UK National Cyber Security Centre: Regular password changing harms rather than improves security.

Use Multi-Factor Authentication

Passwords can get compromised – through breaches or bypassed using pass-the-hash and pass-the-cookie attacks.  Adding a second authentication factor such as a one-time password or using an authenticator app will help protect your systems even if a password is compromised.  A password is something secret that you know – by providing the password you prove to the system that you are who you claim to be.  If an attacker or criminal is able to get a copy of your password, then they can impersonate you to the system.

Security is improved if, in addition to providing something that only you are supposed to know, you can also prove that you have in your possession something physical that only you are supposed to have.  This is the idea behind multi-factor authentication.  In its simplest form, you use your mobile phone as the possession and prove you have it by entering a code number supplied by SMS message or an app that changes each time you logon.

Using a text message (SMS) to deliver a one-time password is less secure (because SMS is inherently less secure) than using an authenticator app like the ones freely available from Google or Microsoft.  You could also use a security token which is a small battery powered device, the size of a key fob, that displays a security code that changes frequently.

Apart from one-time passwords, the other most popular means of authentication is biometrics – proving you are the actual person you claim to be by validating a fingerprint, palm scan or face scan.

By combining a password (something you know) with a security token (something you have) or biometrics (something you are) security is much improved compared to using passwords alone.

 

Pick better passwords

Through Security Training, help your users pick better passwords and make best use of tools such as password managers to keep long and complex passwords secure for each system.

If users are picking their own passwords (and not using machine generated complex passwords from a password manager) then length is more valuable than complexity. Humans can remember a passphrase of three or four words more easily than a shorter complex password with random numbers and symbols.

Configure a minimum length password length of at least 12 characters, but do not limit the maximum password length.

Protect service accounts and API passwords

Modern network infrastructures – whether on premises, in the cloud or hybrid deployments – rely on a plethora of secrets, certificates, keys and passwords to function.  Hard coding these security credentials into deployment scripts and configuration files may make developers lives easier but it will also make it much easier for attackers to move around your network and extend their reach into additional systems and conduct man in the middle attacks by impersonating your systems.  Infrastructure secrets need protecting in secure locations – such as a password manager or vault.  Some password managers now offer infrastructure integrations allowing secrets to be programmatically obtained as needed – avoiding the need to make them human readable at any time.

 

Additional Resources for Password Security

The National Cyber Security Centre offers useful resources for network managers and users wanting to improve their password security and policies:

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

0

No products in the basket.

No products in the basket.