By Rudra Srinivas
The National Cyber Security Centre (NCSC) of the United Kingdom recently issued a warning to its citizens to have stronger and unique passwords after releasing a file that contained the top 100,000 commonly hacked passwords from the “Have I Been Pwned” data set. With unprotected databases and online services getting breached often, leaked/stolen passwords from data breaches can pose a severe threat if users continue reusing their weak passwords.
Practicing good password hygiene is one of the most essential security measures to deter online intruders. Most people choose passwords based on how easy-to-remember they are, rather than as security. With the rising concerns over data breaches, the organizations must encourage employees to practice necessary password protection measures to avoid any cybersecurity mishap.
We list the six imperative password security measures that strengthen data security:
1. Using Two-Factor Authentication
Two-factor authentication (2FA) acts as an extra layer of security that requires an additional step before the user logs into the account. In 2FA, the user receives an OTP (one-time password) via text message or email, which is required for verification, to ensure that only the right people have access.
However, most websites let users mark their devices as trusted while validating for the first time. This over-rides 2FA for trusted devices, and users can access their accounts with only passwords from thereon. This might seem convenient while using, but it’s not good in terms of security. If you’re over-riding 2FA for a trusted device, you’re making your accounts open to hackers.
2. Use Passphrases Instead of Passwords
According to NCSC, the most commonly hacked passwords globally were “12345,” “123456,” “123456789,” “abc123,” “qwerty,” “1111111,” and even the term “password.” Cybercriminals are using advanced hacking tools to crack even the most complex passwords. Be creative and use hard-to-guess passwords, so that attackers can’t guess your password.
Using a passphrase over a password will give you maximum security for your account. But make sure the passphrase you choose is easy-to-remember and complex as well. Pick a line from your favorite song or quotation, but preferably not a common one that can be simply guessed by someone who knows you.
For instance, a passphrase such as “I Love My Job 100%” is easy-to-remember, meets the complexity requirements (numbers, letter case and special characters), and is hard to crack because most of the password cracking tools break down at 10 characters.
3. Observe Proper Web Security
With hackers using advanced tools to steal the data, it’s imperative to follow the right web security measures. The most common method that hackers use for identity theft is sending phishing emails or malicious links. Build a defense system by installing a proper antivirus and anti-malware software on all your devices. Also, make sure that you update these software applications regularly for complete protection.
4. Avoid Reusing Passwords
A recent study by the Microsoft threat research team revealed that 44 million users were reusing their usernames and passwords. The survey also exposed that the largest percentage of passwords were weak and used for a long period.
Using a common password for various accounts might seem convenient, but it could be a potential threat for other accounts if an attacker broke into one account. Even if you have a strong password, try to use different passwords for every account you use. Also, make sure that you change your passwords regularly.
Don’t choose your personal information (your name, the names of your spouse or children, your pets) as a password, as these are known to the people who know you. Try to use a different combination of phrases for every account you use.
If you find it difficult to remember multiple passwords, then use a password manager application.
5. Protect Your Password List
With multiple accounts and passwords, people tend to keep them in one place making a list. But ensure you save the password list securely that it can’t be authorized by others. It’s better to hide any physical records that contain passwords. In case you need to give your credentials to a colleague to get an important file, make sure that you change the password as soon as possible.
6. Don’t Mix the Business Email Account with Personal
According to Microsoft, 30 percent of reused or modified passwords can be cracked within just 10 guesses. This puts users at risk of a breach replay attack. If attackers get hold of leaked credentials, they can try to execute a breach replay attack by trying the same credentials on different service accounts.
Using a single email account for business and personal correspondence is not recommended. Doing so might lead to massive data loss when someone cracks your password. Multiple email accounts allow you to consolidate all your work emails into a single work account, friends, and family communication in a personal account, and a recreational account for various website registrations.
Rudra Srinivas is part of the editorial team at CISO MAG and writes on cybersecurity trends and news features.