1. Better Passwords
A massive number of cyber security breaches happen because we use rubbish passwords and re-use the same password across multiple websites and online services. The quality of your humble password is essential for our cyber security.
Use the following strategies to make passwords easy…
a) The Most Important Password
Answer: Your key personal email account.
Why? Let’s say I’m a bad guy and I find out your password to your personal email – the one you use for everything. During the night I’m going to log in and get started. While you’re asleep I will find out – from the emails I now have access to – what services you have: you bank with Halifax; you have PayPal, eBay, Amazon accounts; you use Facebook, Instagram and LinkedIn (for example). I now start making password reset requests for all of these things…
What happens? Your key personal email account receives password reset emails. I click the links – and I’m on my way. I’ve probably done some research about you from all the data you leak (see further down this page). I know your Mother’s Maiden Name because I’ve signed up to family tree services. I can change the password on every service.
You wake up in the morning to find I own your digital life.
Make sure your Key Personal Email Account is the best protected of all. Think about separating all of the rubbish services you sign up to with a second, throwaway account.
b) Avoid Password Re-Use – Use a Password Manager
We have an average of 35 or so passwords. That is far too many for anyone to remember. Password Managers are simple tools which look after all of the passwords for less important sites and services.
Free Password Managers are good enough for home use – though you might want to explore the benefits of paid versions. Do a web search for ‘Best Free Password Manager 2019’ and read some reviews, check for features you want and make sure they have been around for a while.
The great thing is that they work across your devices – store a password on your phone, and it becomes available on your tablet, laptop, desktop, etc…
How do they work?
When you visit an online service – let’s say Amazon – it offers to create you a super-strong password which looks like nonsense to you and there is no way you could remember it as its huge. You accept, and it remembers it.
Next time you go to Amazon your Password Manager recognises where you are and tells you “I know your password for Amazon – do you want it?” You enter your Password Manager Password and it releases the one for Amazon, pasting it in. Away you go. You don’t know and don’t care what Amazon’s password is.
Do some risk assessment about the passwords you trust to the Password Manager:
- What does the password protect?
- Will it ruin your life if you lose control?
- Will it jeopardise my financial position?
That risk assessment will leave you with a need to remember 3 or 4 unique Passwords:
- MAIN EMAIL ACCOUNT PASSWORD
- PASSWORD MANAGER PASSWORD
- KEY BANK ACCOUNT PASSWORD
- WORK PASSWORD
We can all achieve that! Making passwords the right way in the first place will make this easier still.
Just remember to keep the Password Manager up to date to protect against vulnerabilities. Find out how to turn on automatic updates in the user guide.
Make sure the device the Password Manager is on is also protected by a password, PIN code or biometric security. This is particularly important where you use a Password Manager built into a web browser or on mobile devices where passwords are accessible as soon as the device is opened.
c) The Password is dead… long live the Passphrase!
The reality of working out your password (aka password cracking) is that it is rare to do it in real time. Most services and systems lock you out after several incorrect attempts. It is important to understand that a massive number of passwords are breached as a result of a DATA BREACH. This is NOT your fault – a company you trusted your data to has lost control. Your password is now out there, usually coupled with your email address, and the bad guys have all the time in the world to break it.
As a result: PASSWORD STRENGTH relates to PASSWORD LENGTH.
So how do we make a long password?
THREE RANDOM WORDS
This is best explained with an example:
These both achieve an increase in complexity. These are GREAT PASSPHRASES. Please don’t use them given I’ve put them on the internet! You will remember them though – as you know where you started and what you did to achieve complexity. And we only need to remember 3 or 4 because we are using Password Managers!
Don’t use words / names / information that may be in the public domain or easily worked out from social media content, e.g. Mother’s maiden name; date / place of birth; pet names; teams you support… We have seen cyber criminals signed up to family tree services to find out Mother’s maiden names!
d) Data Breaches
Data breaches are destructive. They can ruin lives. They are not your fault. They are being reported daily. Chances are that you are involved in one.
Take back control – understand what breaches you have been involved with and take action.
Have I been Pwned is a trusted website run by Cyber Security Researcher – Troy Hunt – who cooperates with the National Cyber Security Centre. You can check if you have an account that has been compromised in a data breach. Don’t forget to tick the ‘Notify Me’ box to sign up to future alerts when you are involved in another breach.
Involved in a Data Breach?
Immediately change your password for all accounts which have been compromised AND any other account(s) that you have used the same password for. Do not use this password ever again. Follow our guidance above.
If it involves accounts you no longer use, recover those accounts (using forgotten password processes if necessary) – then delete or close the account. There are lots of free guides which can be found using a simple web search.
If the data breach involves sensitive personal or credit data, you need to sign up for credit score alerts from free providers. There are three credit agencies in the UK so you need to sign up to more than one service:
e) Default Passwords – including the Internet of things (IoT)!
The Internet of Things (‘IoT’) is the world of connected devices – smart thermostats, smart fire alarms, smart fridges… even smart toasters!
Almost all devices have some form of password for administration of the device. Quite often this is printed on the back of the device – like in the case of your home router (the box that connects your home to the internet through your telecoms company). It is essential that where possible you change default passwords.
The problem is that we all love a simple user experience. Using the home router example, they send it to us with simple instructions of unpack it, plug in power and the telephone wire and you are away! The problem with this is that there are people – good and bad – who collate default passwords and stick them on searchable tables on the internet. You may look at the really amazing looking administrator password on the back of the router and think ‘this looks random’, but the reality is these are being churned out in their thousands from factories with low-paid workers. Not all are as random as they seem and we know that the low-paid workers have stuck webcams on the production line before.
There are really simple guides out there – just do a web search for “How do I change the default password on a BT Home Hub” (for example). You will find an easy to follow video by someone with good intent.
For more information about passwords, have a look at the National Cyber Security Centre’s advice: