Greetings! Nearly everything we need to secure includes some password protection, so it’s critical to get it right.
It’s especially true in the workplace, where a simple password can be the only thing standing in the way of malicious hackers and your company’s valuable data.
Now, everyone knows this, right? Well, if all the preventable hacks across the net at companies big and small caused by password breaches are any indication, we think not everyone takes it seriously enough.
There is a lot of detrimental, procrastinating reasoning like “why would anyone want to hack my account, no one cares about little old me.” or “how could they crack my password, when they only get three tries?”
We’ll point out all the holes in these reasonings here today and show you how without too much effort (we’ll actually make your life easier and safer!) you can get it right.
Alright let’s start at the top with point #1:
Password manager. Both as an individual you need to use one and companies should absolutely use them as well. Why?
Enables using many more unique and stronger passwords than you can remember
Enables sharing needed passwords among teams in case someone goes missing. This is important in your personal life as well, consider a family account so critical information can be accessed in case of an emergency or someone’s untimely demise.
Different entry types: i.e., secure notes or browser-based logins
Encrypts stored passwords and backs them up well
From a reputable group, you’re giving them a lot of trust
Make that main login to the password manager extra secure and probably write it down somewhere safe, but where it won’t be easily found by others.
Consider using multiple password managers in case of failure, as this is now a single access point.
Strong and Unique Passwords. Why?
Prevents hacking. Shorter the password, the easier to crack it.
Qualities of a strong password
Long, not overusing dictionary words or guessable info, using multiple character types
Don’t use easy to guess or publicly available info, etc.
Qualities of a unique password
Different from your other passwords, obviously, but not just by one character like appending a number to the end of it like “mygreatpassword” and then “mygreatpassword2” - not good enough, they need to be emphatically unique
Change Default Usernames like “Admin” or “Root” on devices and services like routers, servers, admin panels for things like website CMS’s. Why?
Makes the hackers job that bit extra hard, they have to get the username and the password
Change Default Passwords on things like routers and printers and more. Why?
Just like the above, many devices ship with default settings, they need to be changed
Don’t Save Passwords to Sensitive Sites or Services in your Browser Why?
If someone gets access to your workstation, and opens your browser, they get access to any of these accounts. It makes it too easy
This browser storage of your password could be hacked someday, it’s a point of weakness
So like we say, it’s ok maybe for not-so-sensitive sites, like a newspaper you’re subscribed to, for example. But don’t do it for anything where payments can occur, financial info is stored, or even your social media, which can be used as a launch point for further attacks against you or others. So nothing of value or potential use as leverage for example, like your email.
Don’t Send Passwords in Clear Text in Emails or Chat apps Why?
Hackers who hack yours or the recipient's email or chat application can scan your conversations for such passwords and then whatever account was discussed is hacked.
Solution - use a temporary, hidden sharing link system like Bitwarden Share
Follow up - when you receive a password - change it to a strong password immediately. So if the communication method used to give it to you is hacked that password the hacker finds is no longer valid.
Change Old Passwords
So now you know, and you’ll never make a weak password again, and hopefully you and your company will use a password manager, yay!
But don’t be complacent, be thorough and change all those old passwords that aren’t as secure. Remember “a bad apple will spoil the bunch” and your security is only as strong as the weakest link - so get everything updated.
A lot of security concerns sit parallel to password usage. Keep these in mind:
Use Multi-factor authentication
Don’t let the password do all the work alone, as it’s a single point of failure. Use MFA whenever available (and if not, request it, if it’s an internal company IT service they can try to implement it - contact us as SEIRIM and we can help do it)
Use Security Keys like YubiKey
It’s like a physical MFA solution that needs to be present with your device for access to accounts.
Don’t fall for Phishing attacks
The easiest way to hack a password is to trick a user into giving it to you. Don’t click on suspicious links or files (and keep that bar of skepticism of links very high) that lead you somewhere to enter a password or anything similar.
Always Check to Make Sure the Sites you’re Accessing are Secure
Check the url carefully where you are entering your login credentials, sites can be and are spoofed
Make sure HTTPS is active
Make sure no one is looking over your shoulder
Sign out of sensitive sites when done using them
Don’t just close the browser so it’s easy for you to already be logged in when you re-open that website - you make it easy for the hacker as well.
Physically hit the “Log out” button to cancel out this session. This also invalidates the session keys that were active up until that point a hacker could use to spoof you
If Asked for Security Questions
Power up your Password Manager, and make your answers to the questions ones more complex than just a simple answer that someone could research and figure out from public information about you.
Basically make your answers like extra passwords themselves. For example, if your mother’s maiden name is “Smith”, answer “Smith$%@K” and store the answers in your manager.
Don’t Forget about your Mobile Devices
It’s an attack vector that may already be “signed in” to many important services
Be wary of suspicious applications, delete any unused apps, sign out of sensitive sites and apps when you can, and make sure your device is always locked.
Use a VPN, especially on Insecure Networks like WiFi in a Public Space
Use a trustworthy provider, and your connection will be guarded by an extra tunnel layer
This is important because wifi access points can be spoofed by hackers, and they can do man in the middle attacks to steal your login credentials
Do not ‘Overly’ use Single Sign On (SSO) options
Many services give you the option to sign in via your Google, LinkedIn, Twitter, Facebook accounts or similar. We think it’s best to avoid granting such access far and wide as you are creating more points of connection and access to your account, and for those SSO providers into your activity, which could later be breached. Read more on the issue Single Sign On Considerations.
Corporate Environment Password Considerations
The IT and Cybersecurity department’s perspectives aren’t the main focus of this article, but it’s good for everyone to be aware of these points. Best practices for passwords have evolved, including very recently. Take note of these latest thinkings:
Requiring password changes very often, like every month or 90 days is now considered to be counterproductive because it encourages password reuse.
By requiring new passwords all the time, it makes them harder to remember, so people default to using simpler passwords (bad) and variations of their current password carried over into the next iteration like “mygreatpassword4” which hackers can guess if they get access to the old password.
Push for longer, more complex passwords, but password length is more important than complexity.
The longer the password the stronger, all else considered, aim for 12 or 15 characters as a minimum.
The more character types the better is still true, so try to require at least 3 among the types of uppercase, lowercase, numbers and symbols.
Cautionary note: requiring too much complexity can break many people’s personal easy-to-remember systems, increasing the risk they may have to create a password they can’t remember
Currently, many think that just using many, seemingly random words or a strange,uncommon sentence, plus mixing in some character types is the best way to achieve a long password that is also possible to remember
Use a Password History Check Service
To check if user’s submitted passwords are vulnerable or already previously hacked
At SEIRIM when we build web applications, we implement a service that automatically checks if a user’s submitted password has been involved in a data breach to keep them from using it.
If you’re storing passwords for any reason
Make sure to use strong hashing algorithm
Salt (and even pepper!) the passwords to make cracking a collection of hashed passwords exponentially more difficult and defeat the use of rainbow tables
For more in-depth information check out OWASP here: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html but long story short this is very, very important.
Just in case, we’ll mention it - If you’re accepting passwords and any other info via forms, make sure you are conducting Input Validation to sanitize any attempted attacks via their fields.
Ok so that wraps it up! Even if you’re a simple humble user, please know that you are not immune to hackers’ attention, they want access to any and all accounts even as stepping stones to more information and bigger fish. And attacks are automated, so it can be just malicious scripts crawling towards your accounts.
Stay one step ahead of these malicious actors with strong, unique, and well protected passwords that are well backed up and redundant.
For more info, check out our cybersecurity engineer Nemanja's notes on password security, and a demo on how easy it is for weak passwords to be hacked: