Improve your cybersecurity posture – stop reusing insecure passwords!

22 Jun 2023, by Slade Baylis

Worryingly, it seems that every few months now a different organisation is being featured in the news, having been hit by a new cyber-attack and having their own data and/or the data of their clients stolen.  In these attacks, one commonly mentioned “attack vector” – which is a term for the way that they were compromised - has been through stolen login credential details and the lack of two-factor authentication.

We’ve mentioned the importance of two-factor authentication in our recent Concerned about all the recent data breaches? Use these tips to protect yourself! article, but one area we haven’t yet covered are the best-practices around passwords and password-handling.

So that’s what we’ll be covering this month!  We’ll be discussing the problems with common approaches to passwords; the ways to reduce the likelihood of your online services being broken into; and how to ensure that the passwords that you do set are more secure! 

One password to rule them all – The dangers of using one shared password across services

Most people are aware that using one password across multiple providers isn’t advisable.  The reason for this isn’t hard to understand - because if (or when) those provider’s systems were to be broken into, the malicious third-party that broke in, would now have the ability to access any other service that you used that same password on!

Even though this is relatively well known, unfortunately it’s still relatively common practice.  As reported by TechRadar back in 2021¹, the cybersecurity firm TheHackShield reported that their polling of 2,200 adults from the UK found that around two-thirds of people often reuse the same password across multiple services, even creating passwords that are relatively easy to guess with a little social engineering.  The reason behind this was found to be that most people were afraid of forgetting new passwords and so ended up relying on the few passwords they already had memorised.

In addition to the risks of having your password stolen due to one of your providers having their systems broken into, having a single shared password also makes you more vulnerable to “brute forcing” – which is the process of trying to guess someone’s password through repeatedly trying to login with different passwords until you guess the right one.  If this was a manual process, this sort of attack would be almost impossible, however there are automated methods out there that can attempt new passwords at a rate of thousands of times per minute or more.

Luckily, most online services will have security in place to prevent this sort of attack - with a common approach being to lock people out if they attempt to login incorrectly too many times in a row, or too quickly.  However, if you use the same password on many different services, the likelihood of at least one of those services not adequately protecting you from this sort of attack increases.  Given these risks, it’s important to protect yourself by using separate passwords for each service that you use online - as this limits the potential impact should any of those services be compromised.

So using a different password with each service that you use is the solution to these issues.  However, this in itself introduces another problem, how can one possibly remember them all?  This is especially difficult given many people have hundreds of different accounts to keep track of (or more) and even the average person is still likely to have at least a dozen of them.

We wouldn’t recommend writing them down or storing them on your computer in “plain-text” (which stores them in a non-encrypted form) - as to do so would introduce other risks, such as having them stolen.  However, the good news is that there is a convenient solution to this problem – which is to look into utilising a “password manager”.

Password Managers - How to use a different password for each online service without losing your mind

Today there are many different options for password managers, though at a high-level they all aim to solve one single problem, which is to allow users to use different, secure passwords for all the services that they use.

As a brief introduction, a “password manager” is a service that allows you to store all of your passwords within a secure encrypted virtual “vault” that only you have the ability to access the contents of.  The contents of that vault are secured through using modern forms of encryption that only allow you to access their contents by providing a “master password”, which acts as the key to unlock that vault.  This reduces the amount of passwords that you need to remember down to just the one, though the importance of that one password is much greater - as it can be used to access all your other passwords.

As mentioned, there are many different password managers out there, all which have their own benefits and drawbacks – some are costlier but easier to use, whereas others are slightly harder to use but cheaper (or in some cases - free!).  Some of the most commonly used password managers (and often touted as the best) are BitWarden, 1Password, Dashlane, and Keepass.  BitWarden specifically is an open-source application that’s completely free – not only that, but it even comes with the ability to self-host your vault for the technically-minded and privacy-focused user.  As another alternative, Dashlane also comes with a VPN service with their Premium plan, allowing you to increase your online security in more ways than just one. 

Overall, each of these services are built to allow you to access your password vault anywhere, through storing your encrypted vaults in cloud-based storage that you can access through your desktop, tablets, or mobile devices.  Not only do these services allow you to access your passwords from those devices, but most will also auto-fill your login details into your online services, meaning you can log into those services within a few clicks, rather than needing to copy those login details yourself each time you want to log in.

These services also usually come with other security features that can help protect you. These include: password generator tools that can help you generate random passwords; warnings if the password you are about to use has been found on the dark web; and the ability to share passwords with others within your organisation securely.  Overall, with all these benefits, and the ability to have a privately-hosted vault if required, there is little reason not to use a password manager!

Whilst we don’t officially endorse these services, our staff do use these services, or ones similar to it, personally on a day-to-day basis to keep themselves secure.  It’s important to do your own research and only use a password manager that you feel comfortable using, especially if they are cloud-hosted. 

For organisations that require it, there are options with many password managers to host your vault privately within your own infrastructure – this can potentially make your vault more secure.  For example, a previously commonly used password manager called LastPass made headlines recently when it was discovered that their cloud-hosted vaults were stolen by malicious third-parties.  In this case, the vaults were still encrypted and thus likely secure if strong master passwords were used by their users, however it still highlights the risk that exists with cloud-hosted options.  These should be kept in mind when considering cloud-hosted vs privately-hosted password manager vaults.

Though, there is one question that is often raised when talking about password managers - as they still require you to use and remember one password, that of the master password used to access your vault, what should you keep in mind when setting that password?  Given that it’s effectively your “skeleton key” that has access to everything you do online, you’ll want to make sure it’s a good strong one, but what does that mean exactly?

Setting a strong master password – Things to keep in mind to make sure your password is secure

As you can probably intuit, at a basic level, a longer password is usually more secure than a shorter one - as it’s harder for both humans and malicious programs to guess - however that’s not always true in reality.  If a password is so long that you can no longer remember it, you’ll feel the need to record it somewhere, which can actually make you more vulnerable.  Given this, password complexity needs to be balanced with its memorability for it to be useful, as well as secure.

One of the ways you can increase the complexity of your passwords and actually make them more memorable at the same time is through the use of passphrases rather than passwords.  This was actually the topic of an older internet-famous comic called XKCD, wherein the author joked that IT professionals have successfully spent the last 20 years training people to use more insecure passwords!  In essence, the practice of using a passphrase is to look at using four or more separate words as your password, rather than a single word with numbers and symbols mixed in.  The latter is much harder to remember, whereas the first is much easier to remember, as people can often use mnemonic devices to help remember them.  

In fact, passphrases are so much more secure than passwords, that ACSC² - the Australian Cyber Security Centre - has recommended that all people look to switch over to them.  They state that a passphrase with four or more random words that is at least 14 characters makes your accounts much harder to crack and is an easy win for increasing your cybersecurity.  So with all that, we recommend keeping this in mind and looking to use or incorporate passphrases into your master password that you use to access your password vault.

Important to also mention here is the other primary benefit of password managers, that being that they also allow you to use much more secure passwords for all of the services you use online.  Using the previously mentioned password generators, you are able to set complex passwords for every service, all without the drawbacks of needing to remember them.  It’s due to this that we highly recommend you use these tools to create adequately complicated passwords for every service you use.

For those interested in the topic of passwords, we also have an Escrow tool available for the public to use.  In some cases it’s necessary to share passwords with others, such as when migrating from one hosting service to another, and this tool can be used to do so securely. This tool allows you to save your passwords within a one-time accessible link that you can share with others, with that link only being accessible once.  That tool allows you to share passwords via email and other communication mediums, without worrying about them being stored in plain text within your mailbox or in a database for all time into the future.

Have any questions about the best way of using password managers?

If you are looking to find out the best and most secure way to use password managers within your organisation or for personal use, reach out to us!  We can give guidance on the best ones to use and how to implement them securely.

You can email us at sales@micron21.com or call us 1300 769 972 (extension #1). 

Sources

1, Techradar, “Most people reuse the same three awful passwords – here’s why that’s a problem”, <https://www.techradar.com/news/most-people-reuse-the-same-handful-of-passwords-heres-why-thats-a-problem>

2, Australian Cyber Security Centre, “Why it’s time to ditch your one password for passphrases”, <https://www.cyber.gov.au/about-us/news/ditch-password-for-passphrases>