World Password day last week is one of the somewhat random, special days I actually take seriously. It’s a day when I take a moment each time I enter a password, to think about the general security of that password and system and run the security check-in of my chosen password manager.
What factors to think about?
There are typically a few key points I go through, starting with good password practices. Are the passwords I’m using sufficiently lengthy, complex and not obvious, logical words to use. Long gone are the days you can use your cat’s name and the year of your birth, then consider Fluffy76 as a secure password. Gone also, are thanks to the continual stream of data breaches, are the days where you can re-use passwords because simply put:
If you use the same username and password and a single site account is compromised, all of your accounts are at risk.
It’s not just having different passwords that is important, simple words are easy to brute force attack. Increased length of passwords rapidly increases the time it would take to achieve a force attack and effectively remove the potential for a human to manually access your accounts.
The maths is pretty complex to work out the potential password combinations with:
- 26 letters in the alphabet, considering upper and lower case (52 options)
- Plus numbers and symbols (a further 42 options per cell)
That’s 94 potential options per cell in your password. So very quickly, the potential combinations expand to huge numbers. Then multiply out by 12 characters — or more — passwords and you’re looking at trillions of potential combinations.
Once you’ve got your passwords into the right standards, you move towards how to bolster the security of your existing account with Two-factor authentication (2FA) via either an authenticator app or hardware key like the https://ausdroid.net/2022/02/18/yubikey-bio-series-australian-review/” target=”_blank”>Yubikey Bio.
If it’s possible, you should use one of these options rather than SMS for 2FA because the standard is so old and insecure. SMS can be read by your carrier and potentially, have either your messages intercepted or; in a worst-case scenario a SIM swap attack although there are safeguards in place against this within Australia now.
The important factor here is that even if your account is compromised through a data breach (or poor password practice) there is a second authentication point to gain access to the account.
Password management is something of an art form, where you need all of the right tools to get it right. If you’ve got dozens or potentially hundreds of passwords, it becomes more of a chore and the temptation for re-used passwords increases. Yes, it’s a cost but a password manager is a very good investment for your data security for a couple of reasons:
- It stores all of your passwords and only requires you to remember one, complex password
- Password managers have the capacity to generate random, secure passwords that meet your criteria
- Commercially available options also have 2FA to further secure your password database
- Password managers are able to alert you if one of your passwords has been compromised in a data breach, prompting you to change your password
Now is the time to start
So there’s a lot to think about and do if you’re not up to speed or your practices aren’t up to what is currently considered best practice. If you’re looking for a simple do and don’t do list on password and security options the TL:DR version is that you should use strong and unique passwords, use illogical sequences of letters, numbers and symbols or passphrases, have a minimum password length of 12 (the more the better) characters in your passwords and use 2FA wherever it’s available.
As for the don’t do list here are the things to avoid starting with never using information available on your social media, don’t reuse passwords and don’t use dictionary-based words or common passwords such as password, 123456, qwerty or 1q2w3e4r.
We’re keeping more and more of our lives on connected devices, not to mention access to our banking and other important personal information. It seems to be a common-sense approach to take the time to educate ourselves about and execute current best practices regarding passwords and online security.
