1. Better Passwords

A massive number of cyber security breaches happen because we use rubbish passwords and re-use the same password across multiple websites and online services. The quality of your humble password is essential for our cyber security.

Use the following strategies to make passwords easy…

a) The Most Important Password

Answer: Your key personal email account.

Why? Let’s say I’m a bad guy and I find out your password to your personal email – the one you use for everything. During the night I’m going to log in and get started. While you’re asleep I will find out – from the emails I now have access to – what services you have: you bank with Halifax; you have PayPal, eBay, Amazon accounts; you use Facebook, Instagram and LinkedIn (for example). I now start making password reset requests for all of these things…

What happens? Your key personal email account receives password reset emails. I click the links – and I’m on my way. I’ve probably done some research about you from all the data you leak (see further down this page). I know your Mother’s Maiden Name because I’ve signed up to family tree services. I can change the password on every service.

You wake up in the morning to find I own your digital life.

Make sure your Key Personal Email Account is the best protected of all. Think about separating all of the rubbish services you sign up to with a second, throwaway account.

b) Avoid Password Re-Use – Use a Password Manager

We have an average of 35 or so passwords. That is far too many for anyone to remember. Password Managers are simple tools which look after all of the passwords for less important sites and services.

Free Password Managers are good enough for home use – though you might want to explore the benefits of paid versions. Do a web search for ‘Best Free Password Manager 2019’ and read some reviews, check for features you want and make sure they have been around for a while.

The great thing is that they work across your devices – store a password on your phone, and it becomes available on your tablet, laptop, desktop, etc…

How do they work?

You install the same Password Manager across your devices and create an account. You create a strong Password Manager Password (see below for strong passwords) and turn on 2FA for the Password Manager.

When you visit an online service – let’s say Amazon – it offers to create you a super-strong password which looks like nonsense to you and there is no way you could remember it as its huge. You accept, and it remembers it.

Next time you go to Amazon your Password Manager recognises where you are and tells you “I know your password for Amazon – do you want it?” You enter your Password Manager Password and it releases the one for Amazon, pasting it in. Away you go. You don’t know and don’t care what Amazon’s password is.

Even better – it helps avoid Phishing as if you are tricked into going to Amazone it won’t offer you the password for Amazon. (Other shopping services are available!)

Do some risk assessment about the passwords you trust to the Password Manager:

• What does the password protect?
• Will it ruin your life if you lose control?
• Will it jeopardise my financial position?

That risk assessment will leave you with a need to remember 3 or 4 unique Passwords:

1. MAIN EMAIL ACCOUNT PASSWORD
2. PASSWORD MANAGER PASSWORD
3. KEY BANK ACCOUNT PASSWORD
4. WORK PASSWORD

We can all achieve that! Making passwords the right way in the first place will make this easier still.

Just remember to keep the Password Manager up to date to protect against vulnerabilities. Find out how to turn on automatic updates in the user guide.

Make sure the device the Password Manager is on is also protected by a password, PIN code or biometric security. This is particularly important where you use a Password Manager built into a web browser or on mobile devices where passwords are accessible as soon as the device is opened.

c) The Password is dead… long live the Passphrase!

The reality of working out your password (aka password cracking) is that it is rare to do it in real time. Most services and systems lock you out after several incorrect attempts. It is important to understand that a massive number of passwords are breached as a result of a DATA BREACH. This is NOT your fault – a company you trusted your data to has lost control. Your password is now out there, usually coupled with your email address, and the bad guys have all the time in the world to break it.

As a result: PASSWORD STRENGTH relates to PASSWORD LENGTH.

So how do we make a long password?

THREE RANDOM WORDS

This is best explained with an example:

LondonBeachMusic

This is made up of three random words – i.e. they are not related to each other. I will remember it as I used to live in London, like the beach and can play music. Importantly, you couldn’t guess that if you find my social media as I have my privacy settings high.

LondonBeachMusic is 16 characters and is a VERY GOOD STRONG PASSPHRASE. We could stop there for lots of services – it will be way better than passwords you are using now. But we may need to make it stronger due to the nature of the account or complexity requirements of the service provider. Adding other characters or numbers increases the number of possibilities the bad guys have to try for a brute force attack…

L#nd#nBea7hMusic

or

London#Beach7Music

These both achieve an increase in complexity. These are GREAT PASSPHRASES. Please don’t use them given I’ve put them on the internet! You will remember them though – as you know where you started and what you did to achieve complexity. And we only need to remember 3 or 4 because we are using Password Managers!

Don’t use words / names / information that may be in the public domain or easily worked out from social media content, e.g. Mother’s maiden name; date / place of birth; pet names; teams you support… We have seen cyber criminals signed up to family tree services to find out Mother’s maiden names!

Finally – don’t change passwords unnecessarily. Change only when you think they have been compromised. Generally this is when you receive a 2FA code and it wasn’t you that requested it (a clue someone has your password and is trying to get into accounts), or you know you’ve been involved in a data breach where your password was stolen.

d) Data Breaches

Data breaches are destructive. They can ruin lives. They are not your fault. They are being reported daily. Chances are that you are involved in one.

Take back control – understand what breaches you have been involved with and take action.

Have I been Pwned is a trusted website run by Cyber Security Researcher – Troy Hunt – who cooperates with the National Cyber Security Centre. You can check if you have an account that has been compromised in a data breach. Don’t forget to tick the ‘Notify Me’ box to sign up to future alerts when you are involved in another breach.

Have I been Pwned

Involved in a Data Breach?

Immediately change your password for all accounts which have been compromised AND any other account(s) that you have used the same password for. Do not use this password ever again. Follow our guidance above.

If it involves accounts you no longer use, recover those accounts (using forgotten password processes if necessary) – then delete or close the account. There are lots of free guides which can be found using a simple web search.

If the data breach involves sensitive personal or credit data, you need to sign up for credit score alerts from free providers. There are three credit agencies in the UK so you need to sign up to more than one service:

• Clearscore (Equifax)
• Money Saving Expert’s Credit Club (Experian)
• Credit Karma (TransUnion – previously Callcredit)

If you are still concerned your personal details have been stolen or you have noticed unusual account activity, you can register for the protective registration service with CIFAS. To apply complete the Protective Registration application form.

Once active, CIFAS will place a flag alongside your name and personal details in their secure National Fraud Database. Companies and organisations who are signed up as members of the database will see you’re at risk and take extra steps to protect you, preventing fraudsters from using your details to apply for products and services.

e) Default Passwords – including the Internet of things (IoT)!

The Internet of Things (‘IoT’) is the world of connected devices – smart thermostats, smart fire alarms, smart fridges… even smart toasters!

Almost all devices have some form of password for administration of the device. Quite often this is printed on the back of the device – like in the case of your home router (the box that connects your home to the internet through your telecoms company). It is essential that where possible you change default passwords.

The problem is that we all love a simple user experience. Using the home router example, they send it to us with simple instructions of unpack it, plug in power and the telephone wire and you are away! The problem with this is that there are people – good and bad – who collate default passwords and stick them on searchable tables on the internet. You may look at the really amazing looking administrator password on the back of the router and think ‘this looks random’, but the reality is these are being churned out in their thousands from factories with low-paid workers. Not all are as random as they seem and we know that the low-paid workers have stuck webcams on the production line before.

Coupled with this, there are people whose hobby is driving round mapping WiFi hotspots (WiGLE – have a look for your home!) and finding insecure internet enabled devices (Shodan). Can you see where this is going if these devices remain on their default administrator password…

Do an audit of your internet enabled devices (use our Audit Form) and make sure everything you can change has been. Going forwards, whenever you buy a new device make sure the first step is to change the default password.

There are really simple guides out there – just do a web search for “How do I change the default password on a BT Home Hub” (for example). You will find an easy to follow video by someone with good intent.

More Information

For more information about passwords, have a look at the National Cyber Security Centre’s advice:

• https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/use-a-strong-and-separate-password-for-email
• https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/password-managers
• https://www.ncsc.gov.uk/blog-post/what-does-ncsc-think-password-managers
• https://www.ncsc.gov.uk/blog-post/passwords-passwords-everywhere
• https://www.ncsc.gov.uk/news/most-hacked-passwords-revealed-as-uk-cyber-survey-exposes-gaps-in-online-security
• https://www.ncsc.gov.uk/blog-post/living-password-re-use
• https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/secure-your-tablet-or-smartphone-with-a-screen-lock