World Password Day is today, reminding us of the value of solid passwords, and good password practices generally. There are awareness days for all sorts of things, and perhaps we don’t need all of them. You can’t go wrong shoring up a leaky password line of defence though, so without further ado: let’s get right to it.
Breaching the issue
Database breaches are no joke, with major ramifications for both business and individuals. Divorce, job resignations, and suicide followed in the wake of the Ashley Madison compromise as users found their personal lives revealed to the world.
Elsewhere, leaks in which passwords may feature prominently can run the full range of “secure password” to “plaintext data and viewable by anyone”. When passwords are exposed, it potentially provides inroads into multiple accounts owned by the victim.
It’s not small organisations falling foul of these problems, either. Whether we’re talking Yahoo! in 2013 suffering 3 billion accounts becoming exposed to attackers, or LinkedIn discovering 117 million passwords up for sale in 2016, this can have a major impact on the users. You might think it’s “just” one site’s login lost to people up to no good, but that’s frequently far from the truth.
The problem with passwords
If you make passwords too short, they’re easy to guess or crack. Two-factor authentication (an additional level of security most commonly tied to your mobile device) is still not as widely adopted as it should be. As a result, poor passwords are skirting on the edge of disaster as far as account safety goes. Nobody wants to remember incredibly long and convoluted passwords, nor should they need to…there are tools for this in any case. Where things go wrong is people not using those tools, and repeating the same five character password across all their sites and services.
If one account is compromised, all the accounts are going to fall like website-shaped dominoes.
Worse still is people using their pet’s name, or their maiden name, or some other relatively easy to obtain piece of information as their password, or their password reset question. On top of that, some websites still insist on forcing users to have very short passwords, or perhaps prevent password managers filling data into the password box.
It’s a mess out there, so what can we do about it?
Shoring up your passwords
1. Sign up for breach alerts
One of the first things you should consider doing is registering on a data breach service like Have I been Pwned. Whenever your email shows up in a breach, you’ll be alerted. You can also search against your email and check if it popped up in older breaches. Don’t worry, it doesn’t display passwords. However, this leads neatly into our next point…
2. Try a password manager
How many of the online accounts you use share the same password? What you need to consider doing is signing up to a password manager service. Password managers generate and store unique passwords for you, making it easy for you to have a different password for each account.
Some password managers pre-fill your usernames and passwords on websites for you, but they won’t do that if you land on a phishing page, so that gives you extra protection too.
It’s important to keep your password manager’s vault secure, so make sure you use a unique password and enable additional security settings. Some allow for two-factor authentication (2FA), login by region, hardware key (a USB device), and more.
3. Use all the layers of security
It’s fairly rare to find a major, commonly used service without a couple of 2FA options available. If a site offers the choice of getting an authentication code via SMS or app, choose app because it’s a bit safer. If there’s no app available, go with SMS. It’s not as good but it’s better than nothing at all.
4. Go old school
Everyone’s threat model is different. Depending on your needs, or even those of a relative, it might be that a password book fits the bill.
Hitting the password’s limitations
Not everything is straightforward. As mentioned above, some services simply do not give the option of 2FA or other security precautions. In the worst case scenario, you may be registered to a site that combines this with “5 characters maximum” and no password manager pasting allowed either. If that’s the case, you may well be forced to reassess your use of that particular service.
Even when services allow you to do your bit for solid password practices, it can go wrong at their end. What use is that 50-character password, if insecure hashing algorithms on the server results in a data breach? Sometimes, there’s only so much you can do.
Social engineers will trick you however they can
With measures in place alongside your password, that’s not the end of the road. Scammers will immediately try to get around whatever you’ve done to lock things down. If you have files on your PC to enable additional authentication, phishers may ask you to upload them. Other phishing sites capture your 2FA code as you type it in.
Be careful, and if something sounds a bit, well, phishy, take a step back before you hand over something you’ll later regret.
Fixing your login problems this World Password Day
Nothing is ever quite bulletproof. This remains the case no matter what smart steps you take to protect your password collection. Having said that, your chances of living a password breach free life are significantly improved by doing some account clean-up.
Put the “breach risk” ball firmly back in the court of the services you use on a daily basis. If you’ve done everything you can to ward off a breach and it still happens, there’s a good chance it wasn’t because of anything you’ve done. The biggest problem is when we fail to do anything at all in the first place.