Sam Vesey 5th June 2019 Advice, Cyber Security 6 Minute

We all should implement secure passwords for all the services we access as standard and there's no reason every one of us can't. Knowing what makes a password secure, that is resistant against cracking, bridges the gap between those with an 8 character minimum length password and the practically un-crackable 15 character phrase needed.

So, let's start with the fundamentals...

The best place to start - The Basics

AAA - Authentication, Authorisation, Accounting.

Authentication; Prove you are who you say you are.

Authorisation; Determine level of access to the resources requested.

Accounting; Audit the access to ensure modification is logged and traceable to an individual.

To access any resource, you typically provide two pieces of information. Your username to identify who you are and, as you're the only person who should know it, your password to prove it. Thus, one form of authentication is used - passwords (this is relevant later on when we discuss multiple factors).

 

 

Tips for creating passwords

When it comes to passwords, length is absolutely key. Our standard advice follows three random words conjoined, with numbers as a special character;

Laptop2Black4Screen

Or our personal favourite, a song lyric with random first letter capitalisation;

AMelodysoundsLikeaMemory

(n.b. any budding hackers out there, none of our passwords follow this so don't try :-))

When to change your password

With the basics out of the way, let's start with the most common source of frustration and wrong advice, does this sound familiar...

"What do you mean my password is incorrect!? I'm sure that's my password, or was that my last one? Really, I have to reset it, again!"

- Most of us, every 3 months...

Some time ago the National Cyber Security Center (NCSC from here on in) advised all users to reset their password every 90 days. Naturally, this advice didn't scale well especially now that we access 100s of services from our computers.

The NCSC have since rescinded that advice, you only need to change your password if you have reason to believe it's been compromised.  Of course, this does mean you need to monitor for compromises, your IT provider will be able to notify you of unauthorised attempts.

Get notified if your password is exposed

We've all seen the news, another FTSE250 company has lost 1 Million account credentials and are advising you reset your passwords.

It doesn't take long for those credentials to surface on the internet, leaving you vulnerable to password re-use. But, I hear you ask, was my data in that breach? Well, Troy Hunt has created an amazing free tool called Have I Been Pwned for you to find out.

You can use the tool to check if your account credentials have been lost in a major data breachs. If you're an IT co-ordinator or administrator you can also get domain wide notifications, for example any email accounts under @bzbit.co.uk. Pretty handy!

Consider increasing the factors

We touched upon authentication factors at the start of this post and I promised we'd come back to it, so here it is. Your traditional login process is a one factor process, but if you can increase the amount of verification provided then the authenticating party can be even more certain you truly are who you say you are. 

Passwords fit the category of "something you know". We can include other authenticating factors too, such as "something you have" or "something you are";

Something you have; Think RSA token, or SmartPhone app. For best products that work with typical SME environments we recommend Duo and Yubikey.

Something you are; Think biometrics, finger print scanners are affordable additions to most laptops now and can be implemented with centralised logon services. 

Use the tools availiable to you

If we're honest, you probably already know about this one, otherwise the amount of password resets raining down on you would be crippling!

But, there are loads of password managers to help you keep track. Our favourite is KeePass, but you could also look at; LastPass, OneLogin, 1Password and for more detail check out Cnet's article.

Signing off

I've tried to cover a lot of ground in this post so it's a pretty thin sprinkling of information on each one. If you'd like any more information, do get in touch!

Related posts