Secure and protected passwords are the bedrock of every user’s internet security, the first and best defence against intruders into any system.
Back in more innocent times, when my entire presence online was a yahoo and an MSN messenger account, my password was the name of my dog, Rufus, and my year of birth. I kept using the same, signing up for pizza delivery, online games, even Gmail back then. What’s worse, I considered myself an advanced user, someone who knows better than to use passwords like 123456 or password (still on NordPass’ list of most common passwords in 2020).
I also remember that we were specifically told never to write passwords on a piece of paper for fear of that paper falling into the wrong hands.
Get creative with your passwords
Now, thanks to mandatory cybersecurity training and rising public awareness of the dangers users face if they’re victims of a data breach, I know better. It’s fairly common best practice advice to use different passwords on each account, preferably random words (or, even better, letters and symbols) that have no meaning to you, so they can’t easily be guessed knowing a few facts about your life.
Top tips for creating strong passwords are well known; create long strings of random letters, enlist a mix of characters, don’t use keyboard paths (like QWERTY), and change passwords regularly.
The best, most secure passwords are gobbledygook—utter nonsense. However, there are those of us who like to have some fun with their login, or make a challenge of memorising multiple passphrases. A good method for them is known as the Bruce Schneier Method. All you need is a memorable sentence (say, Are you suggesting that coconuts migrate?) and a rule (take the first and last letter of every word) to come up with AeYuSgTtCsMe?, a password that would take 180 Million years to crack.
I know it was something like...
This deluge of passwords is a bit of a pain to keep track of, but thankfully, password managing services popped faster than you can say multi-factor authentication, so remembering all those random words and letters wasn’t an issue for long. Google have their own Password Manager, there’s Norton’s own, 1Password, and a host of other services to choose from. Most work with the more popular browsers, as well as on your Android or iOS device.
So there’s a place for all our login data, and some of these apps even suggest strong passwords during signup for a new site. Google’s own password manager has an integrated Password Checkup feature which compares stored passwords against the millions of known compromised accounts that have been leaked in major breaches, and warns users if their passwords are already out there. They’ve even integrated change password links to make it easier for users to rectify the issue.
All this is very convenient and totally free to use. Google’s Chrome, Microsoft’s Edge, and Mozilla’s Firefox all offer similar services to help users come up with and then store their passwords.
As long as I am logged in to my PC or phone, password managers fill in my logins on every site where I saved them. Alternatively, I can go to Settings to see a list of all my saved accounts, and can see each individual password if I enter my device’s login or PIN because all my passwords are stored in the device hardware. Chrome encrypts my logins with a key known only to my device, then sends an obscured copy of my data to Google. Firefox, if you have Sync functionality enabled, does the same. In other words, there’s decent protection on your login data, as long as access to your devices is controlled.
The underbelly of convenience
This is all supremely convenient. However, there is an argument to be made that the downside of having password managers suggest, store, and insert your passwords is that they create a single point of failure. In other words, access to your device means access to all your logins.
A way around this issue is to create two-part passwords. One part is unique to each account, that’s the part the password manager gets to remember. The other part, which may be inserted anywhere in the password, is a phrase that repeats in all your passwords—this, you will have to simply remember. Whenever a login pops up, the password manager fills in part of the password, then the user inserts a little extra. This way, attackers will be left with incomplete passwords even if they gain access to your device, while the user doesn’t need to forgo all the convenience of the service.
The level of protection either browser-integrated or independent password managers provide may vary somewhat, but they all still require major know-how or brute force to crack. If access to accounts is what they’re after, hackers know that there are easier ways in through phishing and social engineering. Social media seem tailor-made for such attempts. We’ve all seen posts about incredible sales and unbelievable giveaways on Facebook or Instagram, which might scream scam to users who have gone through phishing training, but many still fall for them. Access to those accounts then provide credible gateways to the users’ friends, and so on.
Funny and playful posts along the lines of Your hero name is the name of your first pet and the month you were born! crop up now and again, and answers provide little bits of information to attackers. After some investigative work and with a bit of luck, it’s possible to piece together enough, and gain access to just one account connected to someone inside a company (or an acquaintance of theirs). It’s not easy, but they only have to win once.
It may be a difficult task to completely secure passwords, but there are a few rules of thumb.
- Use random words or (even better) random characters
- Shun words with a personal connection like pet names, or significant dates
- Use different passwords for each account
- Secure your passwords
As we’ve seen, there are multiple ways to heed this final piece of advice. The objective here is to make absolutely sure that no-one has access, and there are many ways that provide varying levels of protection. I find myself going back and reconsidering one of the earliest pieces of advice I received: Never ever write down your passwords.
Passwords are like keys, they’re required to open access points, the same way I use my keys to enter my home, similar to how I use my ID at the bank where I am then allowed to initiate transfers and so on. I have to guard these objects jealously, and I’d run into trouble if they fell into the wrong hands—much like my passwords.
The crypto world actually recognises the merits of analogue notes. When you create a wallet, you are advised to write down your recovery phrase (a randomly generated set of 12-24 words, also known as mnemonic seed, wallet backup, etc.) and store it securely; this is your ultimate backup for recovery. It’s all about how users treat their notes: discarding them willy-nilly, leaving them taped to a screen, or losing them in heaps of other papers leads to endless trouble, but keeping them safe and away from prying eyes could be a good way to secure your logins.
Ultimately, the best method depends on use as well as risk, and one solution won’t work for everyone. There is only one golden rule to follow, whatever your circumstances.
Finally, let me leave you with this nugget of wisdom from Chris Pirillo.
Passwords are like underwear. Don't leave them out where people can see them, change them regularly, and don't loan 'em out.
The Connective Platform™ integrates a host of cybersecurity tools into one system faster than any of our competitors, but that alone wouldn't give our partners the edge over cybercriminals. Simply gathering all the data from a number of connected elements would still require an army of experts to make sense of it; it's analogous to how gathering stock prices from markets all around the world doesn't tell you where to invest your money next. Our platform goes on to analyse that massive amount of data to give our partners the information they need: where the weak points of their cyber defence are, and how to address them.