We all know about password security right? But how seriously do we take it?
The article that prompted this post highlighted some startling facts not only about how seriously end users take their password security but also how seriously software manufacturers enforce password security.
We all know the general rules of password creation.
- Have a minimum of 8 characters.
- Use at least one upper case character and at least one lower case.
- Include at least one numeric character and at least one special character e.g. @
But as hackers get more advanced there are other things that we should all remember to consider.
Beware of the social information available that may help people discover what your password is!
Many people use things related to themselves as passwords e.g. Children’s names or pets names. But this information can often be gleaned from various sources - especially social media. Even replacing characters with numbers or symbols is not as safe as it used to be. Most people these days understand the tactic of replacing a with @, I with ! or 1 etc. so hackers have no problems with using this substitution logic either.
Then we come to the sharing issue...
What happens if passwords or login details are shared between people, or if people re-use of the same password multiple times? Problems.
Our memories aren't up to remembering everything.
A lot of us haven’t got a memory that can store multiple complex password combinations and the username to which they are linked, so we just use the same 1 or 2 all the time. The problem with this is that once someone has worked out that password they then have the potential to be able to access anything you usually sign in to.
Many applications share data as well.
How many of us have apps on our phone that ask our permission to access our Facebook? Can we be sure that this tool is not sharing our login details? The answer is that, in most cases, this is perfectly safe and uses alternative mechanisms to allow this access other than sharing the login details: but always think twice when an application asks for access to anything requiring you to log in.
Another point to consider is your username.
Just using your name as a username can give away a great deal of information about you. It makes it easier for hackers to work out who you are and increase their chance of determining your password. Seriously!
And there's the software validating your login...
We then come to the software itself that validates your login details. It is in my belief that any application should enforce the minimum general password rules, but there are many out there that don’t. This means that it is easy to create a very insecure password.
In the company I work for we are ISO 27001 certified for Information Security Management, so we have to develop and design our software to ensure security is built in - but not all software companies behave this way.
In short, think safe and be safe with your login details.
I suggest getting a password store or vault application so that you can use numerous passwords and have a safe central location for you to access those details.
We know people generally suck at choosing passwords, often using “12345" or “letmein.” But what passwords and usernames do attackers try most often? This analysis from information security firm Rapid7 shares some interesting details.