Password security is crucial!
I am often accused of being too paranoid, but the truth is, I just take good precautions and ones that we should all take. Password security is a lot easier than you might think and can actually make your life easier.
As a web developer, I’m often assisting clients with various activities which require their passwords. All too often I nearly fall off my chair when they tell me their password is abc123… This is when I begin my usual education session with them.
The most common response I hear when I highlight how insecure their passwords are is:
We’re too small, who would be interested in hacking us?
If you are a non-profit or a small business (or anyone really) and you have had this thought, consider this:
- Hackers are after data
- Hackers like soft targets
…let that sink in for a bit…
As a non-profit you most likely have A LOT of sensitive data from Donors, Volunteers, Grant Makers, Clients, Partner Organisation, Staff… the list goes on.
Also, as a non-profit:
- you most likely don’t have a large budget.
- You most likely don’t have a dedicated IT team.
- You most likely spend much more time thinking about social good and making the world a better place than you do about internet security.
Given this, It is highly likely that you are an easy, soft target with volumes of data. Exactly what a hacker is looking for.
So why do hackers hack.. what do they do with your data.
- They may hold it to ransom, making you pay in order to regain access to your systems.
- They may sell it to other shady characters online.
- They may steal your identity.
- Or they may do it ‘just because they can’.
No matter why, the impact to your organisation and those you do business with can be crippling!
So the real question you should be asking yourself is not “why would someone want to hack us” but:
what impact would it have on our organisation if we had a security breach and can we afford not to take password security seriously?
Breached passwords are one of the most common reasons for data loss through “hacking” and yet is also one of the easiest things to secure.
Top 5 list of the worst password habits we’ve all had at some point
…(be honest 🙂 )
Using Insecure Passwords
What does this mean?
Well if you’ve ever found yourself using something like Wednesday2019! or your pets name and your kids’ name and/or birthday, then yes, I’m talking about you!
Words, no matter how obscure you think they are, are not secure as passwords. Maybe no one knows your dogs’ name is “Daisy”, but daisy is just a word and as such is going to be easily defeated by a simple dictionary attack in a matter of seconds or less.
Many users believe they are making their passwords secure by doing one or more of the following;
- Using capital letters
- Swapping letters for numbers
- Swapping numbers of special characters
- Putting a number (like a birth year) at the end
While using caps, special characters and a mix of lower and upper case are all good practice, if you do so while using a regular word – IT IS NOT SECURE.
Swapping an O for an 0, or replacing a 1 with ! or putting a capital letter at the start or end are all very common practices that hackers are very much aware of.
The tools that hackers use to perform brute force or dictionary attacks allow them to input variants, such as symbols, dates numbers etc as well as a list of words. These tools can quickly enumerate through hundreds of thousands of possible words in combinations with other information they either know about you, or simply other information like the current month, year etc and commonly used passwords and variants thereof. They will also include all the common practice variants mentioned above and in doing so will crack your plain English-word password in a matter of minutes or less!
Your passwords should be at least 8 characters long and completely random, while also using a combination of letters, numbers and special characters.
Here’s is a solid example of a secure password. (obviously, don’t use this particular one…)
Yes, I can hear you saying “well how am I supposed to remember that”! But don’t stress because the answer is at the end of this article.
Hands up if you have the same (or very similar) passwords for multiple applications, computers, social media accounts, bank accounts, phones etc?
In doing so, you are exponentially increasing the damage that could occur if a hacker was to gain access to one of your accounts.
You are also greatly increasing the chances of being hacked. A data-breach in another company that you have an account with could expose your password. Hackers will then try this password on other accounts your hold putting you at much greater risk.
All your passwords should be unique. This means if one account is hacked, the hackers do not automatically have access to all your other accounts and data.
Storing passwords in plain text in files or on paper
If you are currently sitting in your office reading this and you have a post-it note stuck on your monitor with your password on it, take 5 minutes to think about all your donors, volunteers, partners, funders, clients and staff and ask yourself the same question posed at the beginning of this article:
what impact would it have on our organisation if we had a security breach and can we afford not to take security seriously?
Storing passwords in plain text, whether it’s written on the back of your diary, or in an “obscurely” named spreadsheet on your computer is a terrible idea. Passwords should always be stored in a secure encrypted format.
..Actually, for ultimate security, passwords should not be stored anywhere except in your memory, however for all practical purposes that is not going to happen so read on to find out how you can store your passwords securely.
Keeping the same password for long periods of time
Keeping passwords for long periods of time increases the likelihood that your password will be compromised. If an attacker is targeting an individual, over time they will build up more and more information about that individual. This information can help to crack insecure passwords and allowing attackers more time to do so is not a good idea.
In addition to using secure passwords, changing your password regularly reduces the chances of being hacked. It will also reduce the likelihood of your current passwords appearing on lists circulating around the web from data-breaches that might occur at other organisations where you have accounts.
Using ‘remember me’ or storing credentials in browsers
Arrrrghh – no, just don’t do it.
It may be very convenient to click the ‘remember me’ button when you log into your bank account or your social media account, but what does this really do? What you are really doing is ensuring that anyone who gets access to your computer, either directly or with malware also has access to your bank accounts and other personal accounts without breaking a sweat.
Online security is a balancing act. Being as safe as you can -v- convenience. As long as you are connected to the internet, there is no such thing as 100% secure but not being the lowest hanging fruit is a good place to start as that is where hackers usually go first.
That’s the end of my top 5 list and to summarise what we’ve learned, here’s how you and your staff SHOULD use passwords in order to protect the data you hold:
- Always use secure, randomly generated strings of letters numbers and special characters, at least 8 long. Never use real words no matter how obfuscated you think they are.
- Always use unique passwords for all accounts you have.
- Always store passwords securely (Encrypted using modern Cryptographic techniques).
- Always update your passwords regularly. Every day would be ideal, but every 3 months is a reasonable balance between convenience and security.
- Always sign out of online applications when you having finished your session.
Ok, so how do we do all this without breaking our memory cells and becoming cryptography experts…
The simple solution? Password Managers.
Password managers are very useful tools that will not only make your life online a lot more secure; they will make your life a lot easier. Gone will be the days of clicking ‘forgot password’, or desperately digging into the depths of your memory for the username/password combination to that critical site you only use once a year.
In simple terms, a password manager is an encrypted vault in which you can store all your credentials for every website or application that you use.
While different password managers will offer slightly different features, features they generally have in common are;
- One click STRONG password generation – you don’t need to come up with a password anymore, they will do this for you using long random strings of symbols, numbers upper case, lower case.
- Autofill credentials – once you unlock your password manager using your master password* it will autofill (or even navigate to and autofill) your credentials into the site you are logging into.
- Prompt to save new logins – When you create a new account somewhere online, after using the password generator in your password manager and creating your account, your password manager will ask you if you want to save the account credentials.
- Syncing across platforms – Create a new account on your computer and have the credentials automatically sync to your mobile device
- Password Audit – Your password manager can tell you how old each of your passwords is, provide notifications to change weak and old passwords and help you to easily cycle them to a new, random strong password.
There are many other benefits to password managers as well such as storing secure notes, or credit card details. Depending on the product you choose they can also work well with teams, providing central control of passwords and administering permission of team members.
It’s easy to underestimate how many different accounts you end up with after doing a few things online. Just think about every social media service you have an account for, every store you ever ordered something from, every email account, every forum, every government service, every other business you interact with etc. Attempting to remember unique and secure passwords (and usernames) for every one of them would be nigh on impossible which is why it’s so easy to see why people fall into the bad password habits discussed above.
I currently have 177 logins stored in my password manager! (that shocked me when I checked just now!) Each login has a unique, very strong and fresh password. I don’t know what any of the passwords are and I don’t need to. I only need to know my master password and I have access to all my sites and services quickly, easily and without ever having to click that annoying ‘forgot password’ link.
I personally use 1Password which is a premium/paid Password Manager created by AgileBits, however, there are several, well regarded free or freemium (free with paid options) Password Managers available such as LastPass, KeyPass, Dashlane, Keeper.. the list goes on.
Rather than promote one over the other, I recommend that you check out each online through the vendors’ website and compare plans and features and see what suits you best. Just be aware that many sites that provide ‘reviews’ of these products are affiliated with and getting paid commissions from sales of one or the other and will tend to push you in that direction rather over providing honest reviews. Again, check out the vendors’ sites and compare them for yourself.
For me, the must-have features of any decent password manager are;
- One click (or few click) generation of secure passwords
- Autofill credentials
- Auto collection of new logins
- Audit functionality for password age and strength
- Cross-platform sync
- Vault sync options (iCloud, Dropbox, Folder)
Other useful features to look out for might be;
- Two-factor authentication
- Online vault storage
- Team administration
- Guest accounts
Lastly but MOST IMPORTANTLY! And I cannot stress this enough – your Password Manager is only as strong as your Master Password… Keep all those 5 points in mind when you create your master password. Long/Random, Unique and don’t store it ANYWHERE except in your memory – It’s the only password you will need to remember but it is the key to ALL your data.