Person working on a laptop.

The complete guide to passwords: common password mistakes and how to keep your password secure

Did you know computer passwords were first developed at MIT in 1960 as a means of securing access to private files? The journey since then has been anything but unpredictable.

Passwords have evolved to be absolutely essential to our day to day existence while also being the most common attack vector for cyber breaches.

Keep reading to find out common mistakes we all make with passwords and how you can keep your passwords secure. Plus, we have 6 tips you can use to create more secure passwords!

Common password mistakes

Does the following list of the most common password mistakes sound familiar?

  1. Reusing the same password
  2. Only creating unique passwords for ‘high-risk’ accounts
  3. Not using password managers
  4. Creating simple passwords that contain personal information
Password mistakes to avoid

Do you feel overwhelmed by the number of passwords that you have to remember?

180 is the average number of passwords we need to remember for the various business accounts we use. It’s therefore easy to see why we use the same password for multiple sites.

80% of breaches, according to Verizon, are caused by weak or compromised passwords. So fixing this one issue alone can massively reduce the risks businesses and individuals face from the harm that can come from successful cyber attacks.

60% of cyber attacks are caused by human error. Either someone did what they shouldn’t be doing or didn’t do what they should be doing.

Many instances of human error involved phishing, where accounts were compromised. The breaches exploited our natural laziness with regards to passwords. The hackers were either given the passwords or they guessed them. In the knowledge that we often reuse passwords, they then proceeded to log into other sites with the same credentials.

It is quite easy and cheap to crack passwords via a brute force technique. The easier the password the quicker it is to crack.

What are the top 10 most common passwords?

It varies depending on the source of the data but what is common about the most common passwords is that they are simple and pretty easy to guess.

  1. 123456
  2. admin
  3. 12345678
  4. 123456789
  5. 1234
  6. 12345
  7. password
  8. 123
  9. aa123456
  10. 1234567890

The list above even includes passwords leaked in a data breach!

So, you can see that hackers’ jobs are pretty easy when users can’t even be bothered to write a complex password or change it when it’s been breached.

Keeping your passwords secure

Well, we all know why we don’t write complex passwords, it would be unsustainable to do so for 90 plus sites and remember them. Some people still write passwords on post-it notes and stick it on their computer monitor. Some of us write it down on a notepad or a notes application on our smartphone. These are all coping mechanisms to avoid overloading our memory.

A great solution for managing passwords nowadays is a Password Manager  – it’s all in the name. Password managers securely store passwords and can also generate complex passwords. This means that we don’t have to remember lots of complex passwords, just the main one that gets us into the password manager to retrieve the stored passwords.

This system could, however, still be vulnerable to attacks if the attacker can access the master password for the password manager. You therefore need to protect the password manager with a form of Multi Factor Authentication. Access is only granted if you have at least 2 methods of authentication, such as your password and a one-off token generated on your phone, as an example.

How do you create a strong password?

To avoid the risk of weak passwords increasing the vulnerability of your data there are some basic steps that can be taken to protect yourself and your business information.

7 tips for more secure passwords
  1. Never reveal your password to anyone – if anyone asks, it’s a scam or bad practice,
  2. Use different passwords for different accounts –  If one account is compromised, having unique passwords for other accounts ensures that the damage is contained. Consider using a reputable password manager to help you generate and store complex passwords securely.
    *Do NOT use Google or your browser’s password manager. If your Google account is compromised, all of your passwords will be too. Talk with your IT team about what password management tool they recommend for you and your organisation.
  3. Use MFA – this adds another layer of protection making it even more difficult to be breached. MFA typically involves combining something you know (your password) with something you have (like a code sent to your phone). Even if your password is compromised, MFA significantly reduces the chances of unauthorised access.
  4. Length versus complexity

    longer passwords are more difficult to compromise – try to use at least 16 characters. According to Hive Systems, brute-force hacking can crack an eight-character password in less than one hour! When creating a new password, consider using passphrases—sequences of random words or a sentence—which can be both strong and easier to remember. A random passphrase would be something like: cogwheel-rosy-cathouse-jailbreak.

    This passphrase was generated from the website useapassphrase.com, which will auto-create a four-word passphrase for you if you’re stumped.
  5. Make them complex – use special characters and numbers as well as letters. Avoid easily guessable information like birthdays, names or common words. The more intricate and unique your password, the harder it is for hackers to crack it.
  6. Use a password manager. You don’t have to try and remember every password, and you shouldn’t write them down on a sticky note on your desk. Instead, use a good password management tool that is secure and will handle keeping track of your passwords for you.
    Bonus points for turning off the auto-fill feature. Hackers can infiltrate sites and install a little bit of code on a page that creates a second, invisible password box. When your password manager autofills the login box, it will also fill in the invisible box, giving hackers your password. This isn’t overly common, but it still poses a risk.

So you created a strong password, now what?

Here are a few more tips to keep in mind.

Regularly Review Account Activity: Monitor your account activity for any suspicious logins or activities. Many online platforms offer features that notify you of login attempts from unfamiliar devices, allowing you to take swift action in the event of unauthorised access.

It’s also always good to be aware of phishing attempts, never click suspicious links or attachments in e-mails, avoid public Wi-Fi and only use secure connections and educate and train your team on what to look for when it comes to cyber crime so they can protect themselves, you and the company.

Set Up Strong Password Recovery Alternatives: Leverage password recovery options like security questions or alternative e-mail addresses. It’s important to choose questions with answers that are not easily guessable or have publicly available information so “What’s your mother’s maiden name” is out!

Update Passwords Yearly: As long as your account hasn’t been compromised, you only need to change your passwords once a year to minimize the risk of unauthorised access. The only time a regular password change routine would be exceptionally helpful is if someone has access that you don’t know about. A frequent password change can make it more challenging for attackers to maintain access to your accounts over an extended period of time.

What about passwordless authentication?

The replacement for bad passwords and bad practices is to eliminate passwords altogether by becoming passwordless.

This new technological approach requires the user to be authenticated via an authentication service on the basis of something the user has such as a phone or token and something the user is such as fingerprints, face, voice etc. Systems are increasingly being implemented that generate a one-time token or an email link each time a user wants to login to a site.

Passwordless authentication is more expensive to implement than a simple password based system but will become more common as costs come down. Also, they are definitely a lot safer.

Need help mastering the fundamentals of cyber security?

As cyber threats continue to evolve, we may see a pivot to behaviour based authentication. Users will be authenticated via biometrics in a low friction way so as not to hinder transactions while enforcing higher levels of security.

Until then, organisations need to make informed choices and stay proactive to significantly enhance their online security, but don’t forget that nothing is foolproof.

Educating your team on cyber security best practices is essential, but mistakes can and will still happen. For most, it’s not a matter of if, but when. You must have a robust cyber security plan in place. The right IT team will make sure you have every protection in place to keep you safe and a crisis management plan ready if something goes wrong.

To find out what gaps you have in your cyber security system, we’ll do a FREE Cyber Security Risk Assessment. Click here to book yours now.

References

Leave a comment

Your email address will not be published. Required fields are marked *