- Key issues
Keep it secret. Keep it safe.
Many people, as many as 82%, reuse passwords on multiple sites. This creates a lot of vulnerabilities because if someone gets hold of one password, they could get access to all sorts of things from social media platforms to bank accounts. Take time to work out who has your password, minimise the risk and keep yourself protected.
Thu 5 May 2022
Cyber criminals make hacks into lots of companies. They’re looking for all sorts of data and of course, usernames and passwords are the cream of the crop as far as they’re concerned. In fact, 60% of data breaches involve stealing credentials. Studies demonstrate that guessing passwords through personal information is easier than deciphering passwords.
A lot of people use passwords that are derived from names of their first pet, a favourite sports team, mother’s maiden name and so on. Hackers can scrape this information from social media platforms and build up a profile of information on you that they will use in ‘credential stuffing’ activities.
Credential stuffing attacks are where a hacker tries to use a large number of user accounts using stolen credentials. With the stolen data, the hackers use powerful algorithms to ‘stuff’ credentials and try many combinations of user names and passwords that they’ve gathered from a variety of sources. More than 80% of companies say that it’s hard to detect, fix or stop credential stuffing attacks.
When hackers carry out credential stuffing attacks, eventually they hit on a combination that works and they get access into something. It might enable them to take over your Facebook or WhatsApp account and start carrying out scams against your contacts that look like they’re coming from you. And once they’re in, hackers will steal as much personal information as they can find, sometimes getting to a point where they can completely steal a person’s identity, empty their bank accounts and use them as a front for other scams. And the aftermath for an individual who has had their identity stolen can be life changing and include problems in getting loans in future or even impact employment prospects.
So, it’s worth cleaning up your digital footprint from time to time and get your data deleted from all the companies that no longer need it so that it simply can’t be stolen. You might think you’re protected if you’ve unsubscribed from a company’s marketing emails, but the problem is that your data still exists in the company’s servers. When hackers steal the data, they will try and combine information about you that they can get from multiple hacks. Remember, just unsubscribing isn’t enough.
It’s not just personal
A study revealed that 40% of organisations relied on sticky notes for remembering passwords and no less than 80% of workers admitted to recycling the same passwords multiple times. And 75% said they use the same passwords for work accounts as they do for their personal accounts.
So if a hacker gets access to one, they can try and use the same credentials in other places and judging by these numbers, they may well be rewarded with access to things they really shouldn’t have. If they break into, for example, your Apple ID, they could get access to all kinds of information from your contacts, your stored passwords for other sites and so on.
The first thing is to avoid reusing passwords. It’s much better to use a unique password for every website you visit or app you use. That may sound like all too difficult to remember, but there are several things you can do to help yourself stay safe.
So, how can you create a secure password? Here are some tips for dos and don’ts:
- A password shouldn’t be the word “password” or the same letter or number repeated like 0000. Duh! you might say, but you’d be surprised how many people don’t change a password that comes with, for example, their broadband router or Sky box.
- Don’t make it obvious. A good trick is to have a password made of three random words. For instance duck.motorway.balloon could be a password that has not come from a favourite team or a family name, but is truly random - very hard to guess
- Ideally, a password should be 16 characters or more. It’s been found that 45% of people use passwords of eight characters or less, which are just not as secure
- A password should include a combination of letters, numbers, and characters such as ! or *. That just makes it harder to guess
- A password shouldn’t be shared with any other account - use separate passwords for every account or app
- A password shouldn’t include any of your personal information like address or phone number. So don’t use a date of birth for instance. It’s also best not to include any information that can be accessed on social media like kids’ or pets’ names
- A password shouldn’t contain any consecutive letters or numbers, so avoid 123456 for example.
But it’s too much to remember!
There are tools that can help you manage passwords successfully. On Apple computers and in their iOS for iPhones and iPads, passwords are managed securely on the device and when signing up on a new website for example, a random password can be generated. It’s usually made up of a whole series of upper and lower case letters separated by hyphens. The password is remembered by the computer and also shared securely with the user’s iPhone etc. So when you come back to the site it will enter the details for you, subject to you entering your device password or with Face ID. So you never need to remember the website password and it means every site you visit will have a different one.
Apple’s Safari will also warn you if a particular password has appeared in a data breach, prompting you to go online and change it right away.
A big help, especially if you use multiple platforms such as Apple, Windows, Linux, Android, iOS and so on, is to use a Password Manager app which encrypts passwords, making them even harder to steal. This also creates passwords that are much harder to crack - again, because they are random and each one unique to one application. It means that your passwords always reach a standard of cryptographic strength and through the relevant version of the Password Manager, passwords are easily shared across all your devices, regardless of platform. Some password managers will also prompt you to change passwords every few months and generate new strong passwords anytime you need one.
Another big advantage of a password manager is that it enables you to fill in information on online forms easily and automatically, removing the boring job of having to type in address and phone details every time.
It takes two to tango
Many websites and apps these days offer ‘two-factor authentication’. The great advantage of this is that even if someone has your password, there needs to be another way of authorising access. So, for example if two-factor authentication is turned on, when a username and password are entered correctly on a website, a text message is sent to the owner’s phone with a unique six-digit code that must be entered on the website before it will allow access. This creates a whole additional layer of security that prevents a hacker with username and password information from getting in. Microsoft reported that it believes two-factor authentication can stop 99.9% of threats to compromised passwords.
There are also two-factor authenticator apps you can install on your smartphone which generate the equivalent of the six-digit text message. The codes are usually only valid for between thirty and sixty seconds.
So, take a little time to keep yourself safe. Minimise how many companies have your data by using Rightly Protect to delete data from those that don’t need it. And do something about those passwords you reuse by creating unique ones, and consider a password manager to look after things for you.