Username and Password Security Tips
Context why strong usernames and passwords are important
Passwords, passwords, passwords. We need them for everything these days from getting into our phones and computers to accessing software and logging into websites. Passwords are a useful security measure to ensure access to sensitive or personal information is controlled – BUT with every platform having differing requirements for password complexity, it can become an unwelcome hurdle and it's easy to become lax about choosing and storing strong passwords. Alongside our expert engineers, we've put together these useful tips to help you create strong passwords and a good culture for password security within your business.
Default usernames and passwords – what they are and why you should change them
Computers, routers and new bits of kit like firewalls often come with a default username (like 'admin') and a password which can be as easy to guess as 'password'. In the case of some D-link routers the admin password is even left blank, so getting into it is child's play. It's important to change your default username and password for any part of your network to create an initial deterrent for opportunistic hackers. Failing to change the default settings suggests that security is not your priority – so once hackers are through the first barrier they are more likely to see you as a good target. The good news is that changing default settings is easy on pretty much every device other than a Sky Q router (where you have to call Sky to get the settings changed). This is one security measure that takes five minutes to do and is more than worth the time.
Types of password attack
Password-protected systems are hacked in these three main ways:
Professional brute force attacks are commonplace and as simple as they sound: someone tries different passwords until they hit on the right one and can access your account. If you've used the same password across multiple accounts the hacker will often then try the same password across different platforms to gain access to your email, social media accounts like Facebook, iCloud or online storage, banking details and more. These attacks may be unsophisticated or they may use computer software that runs through hundreds of password options in a matter of minutes.
A dictionary attack differs from a brute force attack as it only runs through likely password possibilities, for example words from the dictionary. A common trait when choosing passwords is to select a word and potentially append a digit or special character. Dictionary attacks work through these lists systematically until a correct password is found.
Keylogger hacking is the most successful form of password attack, but it is more complex to execute. A keylogger is a piece of code installed on a phone, tablet, laptop or desktop computer that records every keystroke made on that device. This data is then transmitted back to the hacker – so he or she can read every word you type, including passwords. Your details can then be used to access any account you've typed the login details for. It doesn't matter how strong your password is if you end up with a keylogger on your device, because it will simply be transmitted to your hacker. The only way to get around a keylogger attack is to have two-factor or multi-factor authentication, so that even if someone else gets hold of your password, they need to pass a secondary round of security to access your accounts.
Common password choices – what to avoid
When choosing passwords, avoiding obvious words and numbers is key – as is writing them all down in a list on your desk, or sticking them to your computer screen to make life easier when you log onto your desktop at 9am.
In 2017, these were the Top 11 most commonly used passwords:
Most of these are sequential in some way – consecutive letters or numbers on a keyboard. 'password' and '123123' are often default passwords too. If you're using any of these to form you password, you might also want to consider changing it straight away:
- Your name or date of birth in any format
- Your partner's/child's/sibling's names or dates of birth
- Your pet's name (really)
- Your wedding date
- Your company name.
These are still easy to guess even if you switch a letter for a number and append it with a number and/or special character. They are particularly easy to crack if you factor in how common social engineering is and how much of our lives we put online these days. Unless you're a spy, chances are anyone can find out at least your date of birth and the names of your family, so don't be an easy target and strike those off as possible password options.
Password complexity - how to create strong passwords
A good password is made up from a number of different components, of which complexity is one (meaning upper and lowercase letters, numbers and special characters). The trick to a good password is making it easy for you to remember (so you don't have to write it down everywhere) but tough for other people to guess.
Good options can be taking a song title, phrase or list of friends' names and combining the first letter of each word in upper and lower cases and switching some for numbers. For example if you like Marvel Comics movies, you could opt for Mth0RAd3adp00L!Vr0nManEL. To you it will make perfect sense (if your brain works that way) but to a computer programme or dictionary hack, it will be unintelligible. Bear in mind this is NOT the same as choosing a single word, changing one of the 'O's to a zero and sticking a number on the end – see 'Common Passwords to Avoid' above.
If your company doesn't have a password policy, it's something worth implementing as soon as practicable. You can call AAG on 0114 399 0995 for a discussion about your organisation's security and software to support an easy-to-follow password policy. Our top tips are:
Change all default login details, including for any internet-enabled printers and peripherals which can be easy routes into a network
- Set a minimum password length of 8 or more alphanumeric characters
- Strongly advise against using personal details including family names or dates of birth
- Do not allow consecutive or repeated strings of letters or numbers
- Encourage two-factor authentication where possible
- Have a good backup policy to recover data if your network is hacked.
Image credit: https://xkcd.com/936/