Why are passwords important and what can it mean if a password is compromised?
Passwords help secure your private, personal or company information. They are your first line of defense against unauthorized access to your confidential information. Consider the other tools we use to verify our identify, such as social security number, drivers license or passports. We keep these items secure. In the same way, we should consider keeping safe all the information protected by the use of passwords.
Passwords, passcodes, and PIN’s have endured as the most common methods of access control used for securing our valuable digital resources, such as:
- Computers and mobile devices
- Banking websites
- Social media accounts
- Email accounts
- E-commerce sites
- Cloud storage
- Utilities provider payment and monitoring portals
Passwords have historically been a primary layer of security, in some cases the only layer. Unfortunately passwords are vulnerable to being:
- Guessed by humans
- Cracked by computer algorithms
- Captured from where they are stored (securely or insecurely)
- Shared with others
According to Verizon's 2017 Data Breach Investigations Report, ''Stolen passwords and/or weak or guessable passwords'' were responsible for 81% of hacking-related breaches'' (source: https://www.keepersecurity.com/assets/pdf/Keeper-SelectingPM-WhitePaper.pdf)
Why can't I use a simple password?
Hackers represent a real threat to your private information. One of the best ways to protect your information is to ensure that only authorized people can gain access to it. The password is the first level of defense. Tracking all of the letter and number combinations can be frustrating, but is is important to understand that using strong passwords, different passwords for each account and using difficult to guess passwords is important. Consider these statistics:
From a recent survey performed by a partnership of PasswordManager.com and YouGov, ''85% of people know that using the same password or a variation of the same password puts them at risk, yet nearly 25% of people use the same password, or a variation of the same password.'' Here are a few other statistics from the same study:
- In a 2017 Equifax data breach, 7.7% of respondents reported personal information was stolen
- 18.8% reported a social media account had been breached
- Security breaches due to an email account being hacked reported at 19.3%
- Of those surveyed, 21.1% have had a financial account breached, including banking, credit cards and PayPal accounts
Relying on passwords alone, particularly password which aren't strong enough, provides a critical weakness and often also a single point of failure to access control security. Here are just a few ways passwords can be used if compromised:
- Company or personal data can be - intentionally or unintentionally - accessed by an unauthorized entity.
- Data can be deleted, exploited, leaked, manipulated, misrepresented, ransomed, used for identity theft, etc.
How can I know if my password has been compromised?
If you are concerned that your credentials have been compromised, you can do a quick check by visiting https://haveibeenpwned.com
If you find that your account is on this list, please change your password immediately. Review the following guidelines for helpful tips on how to create a strong password.
What are the guidelines that make up a weak vs a strong password?
How Can I Confirm that My Password is Strong Enough?
If you would like to assess your current password's strength rating or generate a stronger password, look to the resources below:
https://howsecuresmypassword.net (maintained by security.org)
https://passwordmonster.com (maintained by My1Login)
https://haveibeenpwned.co/Passwords (maintained by haveibeenpwned.com)
I have so many complex passwords and they are difficult to remember!!
Consider using a Passphrase
A passphrase is a type of password, but the simple distinction is that a passphrase employs multiple random words to efficiently create a very long password that is much easier for a human to read, understand, remember and type. Simultaneously, it is much harder for a computer to guess or crack using any of the various, common methods used today.
To illustrate the comparison of conventional complex passwords and passphrases, review the following passwords and their rated difficulty (for computers to crack) and decided for yourself which type you would rather rely on for everyday use.
*** The preceding examples should only be used simply as illustrations--don't use any of these example passwords/passphrases. You can easily generate your own strong passwords using methods and resources mentioned throughout this article.***
Multi-Factor Authentication - The Next Step
In addition to using a strong password, most applications have the option to enable another layer of security called multi-factor authentication (MFA), also referred to as two-factor authentication (2FA). This is an electronic authentication method in which a user is granted access to an application or website only after successfully providing an additional authorization. This can be done via a phone call, push notification, text message or entering a code sent to a designated email or phone number. There are also authentication applications that you can use for this purpose. It is less likely that a hacker will also have access to your cell phone, for example, to be able to confirm your identity, so having this secondary security in place increases security for your valuable information.
Microsoft reports based on their research that MFA can prevent over 99.9% of account compromise attacks. (source: https://www.microsoft.com/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/)
For more information on visit our Multi-Factor Authentication Blog
Even better than generating passwords according to security guidelines for yourself is to use a trusted password manager that has a strong password generator built-in to the service. Read on for more information on what they do and why they are so valuable.
Primary Benefits of a Password Manager
- Centralizing the work of password management using a single tool
- The ability to memorize one master password and use it to access many saved passwords
- Access to a strong password generator/password strength assessment tool in the application
- The ability to access the password manager service whether you are using a computer, mobile device, or via the web (for most password manager services)
- A security-by-design approach that can be a part of an industry compliance strategy (HIPPA, PCI, etc.)
- Ability to secure the service using Multi-Factor Authentication, as discussed previously
Browser password managers (Firefox, Chrome, etc.) are generally considered to be weak and relatively insecure solutions—it is not recommended to trust these with your secure data. More secure and feature-filled password managers are available which offer good accessibility and ease-of-use, and can be integrated into your browser or accessed from your desktop or mobile device.
For more information visit our Password Managers Blog
This article has covered a lot of information. To summarize, please review the following Best Practices for Password and Access Control. Feel free to reach out if you have a question about anything listed in this article or if you feel your credentials have been compromised. We are happy to connect you to one of our knowledgeable staff to assist with concerns or help you setup additional security.
The security guidance mentioned in this article takes in account the typical risk profile for most users regarding passwords. Following the best practices recommendations for passwords, MFA, and other security protocols will reduce risk of password breach for all common vectors and modalities of attack.
If you have questions about how we can help or would like to know more about the services we provide, please click the link to setup a call.