Let’s Get Serious About Passwords

16 Nov Let’s Get Serious About Passwords

Too many passwords = Recycling simple passwords = Danger

Technology has delivered many marvellous things, but it comes with the burden of managing numerous passwords. Think about how many systems you access with a password. The list continues to grow year after year as many of us are even more active with online shopping, online banking and so on.

The common solution for many is to simply re-use the same password everywhere. What most us don’t realise is that this means if one account is comprised, “they” (hackers) have access to everything. The other solution we find many people do is to write their passwords down or record it in a document or spreadsheet that is itself not password protected.

Complexity of passwords can also make it difficult to juggle numerous passwords, especially when you’re told to have passwords with upper, lower case, numeric and non-alphanumeric characters. Try remembering Alb@troSS47$# and come up with a unique password for every system you access. That’s a very difficult task.

Store it (Safely)

So, if you can’t recycle passwords and are expected to use long complex combinations of letters, numbers and characters, the first thing we need to address is the ability to easily, and safely, record your passwords. After all, it’s easy to remember one long password but if you want to have as many unique passwords as you can, remembering them all becomes a challenge.

If you can easily and safely record passwords, you will be less inclined to recycle them and be more willing to use outrageously long complex passwords. Just remember, writing them down is never the answer. So, what is?

The good news is that there are several password storage applications including Dashlane, Keeper, 1Password and, the one we recommend, LastPass. We will reference features of LastPass in this article, but you will find these password storage applications have similar functionality.

LastPass is software you can install on your PC which will run on most web browsers. The software will detect passwords you enter and give you the option to save them in a secure database attached to a LastPass account you create. The next time you log into the same system in the browser, LastPass will offer to enter it for you. You can also store general passwords and other sensitive data (such as credit card details) in your LastPass account “Vault”. At any time, you can easily access this information from the LastPass app on your PC or smart phone. We strongly recommend you use a strong (long and complex) password for your LastPass account as well as Multi-Factor Authentication (see below) because your LastPass account is definitely something you don’t want others to access.

We’ve addressed the ability to juggle a large volume of passwords with the ability to keep them long and complex which is great. But then you go ahead and give someone your password. We don’t mean a co-worker or friend who you intentionally give it to (not that it’s good practice to do either!) We mean a hacker who successfully got you to enter your password in the wrong place. All that hard work diligently storing your passwords in a safe place, gone out the window.

Giving your password to hackers

Sometimes you can unintentionally hand over your password to people who choose to do harm. Take Phishing sites for example (that’s Phishing not fishing). Phishing sites are websites that are designed to look genuine but are used to lure you into entering your account details. They often result in people clicking on a link in an email telling them they need to urgently log into various systems (bank account, office.com) and change their password. They direct you to what seems like a legitimate website, but what they are after is for you to unknowingly enter your details including your password. There you have it, they now have your password.

And, if that’s not all, if you have the same password across the many systems you access, hackers will have further access to numerous accounts that have that same password. This is when your life can turn up-side-down.

So apart from being extra cautious about clicking on links that ask you to access your bank or your travel itinerary for a flight you never booked, what can you do to prevent hackers from getting in? One of the most effective methods is Multi-Factor Authentication.

Email Accounts – Gateway to Many Systems and Potentially Your Worst Nightmare

Before we get onto Multi-Factor Authentication, I’d like to cover one last thing you need to be mindful of, and that is the power of your email account. Your email account is particularly important and requires specific attention, for three simple reasons:

1. Your email account can act as a gateway to numerous systems. When you click on “forgot password” what do most systems do? They email you a link to reset your password. Gaining access to your email account means hackers can access all the web sites you use your email address to gain access to.
2. The other problem is that if someone can access your email account, they can manipulate people you deal with to send payment to overseas accounts. They do so by monitoring your email traffic and get an understanding of what you do. Hackers love getting access to email accounts of people who instruct others to pay bills. For example, managers approving invoices for accounts payable to pay. They will find invoices you regularly approve from a vendor, generate a fake invoice containing their own bank details, then email it to accounts payable to pay. This is far more common than you might think and happens quite a lot.
3. If hackers have access to sensitive information in your email account that you don’t want to be made public, they can hold you to ransom. They will threaten to release information or give you the option to pay using something that is difficult to trace back to them such as Bitcoins.

Your email account can be a gateway to many systems and a lot of headache if compromised. It requires a unique (not recycled) and complex password for example: ILoveFishingInTheRockyMountains@1978.

However, given its sensitivity for the above reasons and many more, you also need an additional factor required to gain access to your email account. This introduces Multi-Factor Authentication.

MFA is now a necessity

or decades, the primary method of preventing unauthorised access to any system was long and/or complex passwords. As long as you didn’t share your password with others, write it down or store it electronically somewhere that was not safe, then you were reasonably safe from others gaining access.

Things have changed, and cyber criminals’ ability to get your password is frighteningly easy. From an innocent click on a link in an email to entering your username and password on what you think is a legitimate website, cyber criminals can manipulate you into giving them your password unwittingly.

With the vast number of systems we have to access these days, people tend to use common password to all their systems which exacerbates the problem.

We highly recommend the use of MFA (multi-factor authentication) not just on mission-critical systems with sensitive data but also your personal email address and any system you access that has MFA as an option. Cyber criminals don’t just go for big businesses, in fact they often don’t know who they’re targeting and happy to compromise any data from anyone who might have a reason to pay them a ransom to get their data back.

What is Multi-Factor Authentication (MFA)?

Multi-Factor Authentication helps add multiple layers of protection to the system(s) you access. It asks you for more than just your username and password when you log into these systems. It requires:

• Something you know (your password)
• Something you have (like your phone or a token)
• Something you are (like your fingerprint)

With almost weekly reports of hacks and breaches, multifactor authentication adds an additional layer of protection that prevents anyone besides you from gaining access to your account, even if they’ve stolen your password.

The most common method is the entry of a code often accessed from a mobile App.

Authenticator App

For those of you who elect to use an App on your mobile to retrieve the code needed for your login, there are a few options. We would recommend an App that allows you to save your keys in the Cloud in case you ever change mobile phones and don’t want to setup MFA on all your systems again. LastPass and Microsoft Authenticator App are two common apps used for this purpose.

The Microsoft Authenticator App is ideal for use with Microsoft 365 services because it allows you to force the approval by click a button rather than having to enter the code every time. It’s just for the convenience factor but just as safe and effective.

MFA on E-Mail accounts

Ideally everyone should use MFA for email accounts. Your email address is used as a gateway to so many services and therefore used to reset passwords. This makes additional protection using MFA critical. It not only stops cyber criminals from getting to your email account, but it also stops them from accessing the various systems you use your email address to access. If you forget your password and select the option to reset, it often sends you an email to rest the password. So, if the cyber criminals get to your email, they get to everything!

VIP Summary

1. Don’t recycle passwords. Use a unique password for all systems especially your email account.
2. Find a safe way to store passwords. Post-it notes and Excel spreadsheets should never be used.
3. Use long complex passwords.
4. For critical systems including your email account, use Multi-Factor Authentication.
5. Be careful what you click when you get an email, especially one that tells you to enter or change your password.

This article is by no means an extensive list of the steps needed to prevent data theft but covers some of the most common problems people get themselves into. Following these steps can go a long way of minimising the risk of malicious access to your personal and business systems.

They’re simple to do so get yourself sorted today.

Stay cyber safe.

Synergise IT are specialists in security and back up disaster recovery. Should you like to know more about how to protect your business and systems, the team at Synergise IT are only too happy to assist. For more information visit: https://synergiseit.com.au/products/security or click here to start a conversation.