Is There Such a Thing as a Secure Password?
October is Cyber Security Awareness Month – and we're glad that the subject gets this type of notice. This post is part of our ongoing effort to keep cyber security top of mind year-round.
We’ll begin by answering the question posed in its subheading: unfortunately, no. There is no such thing as a secure password. It matters not what you do. If hackers break into a site where you’ve entered your password, chances are it was saved and can be scooped up along with other information you’ve entered. If that includes your email address it provides bad actors with the tools to engage in what’s known as credential stuffing – using stolen emails and passwords to gain wholesale access to other websites where they can steal other data and real assets.
Although there’s an evolution happening to make the Internet a password-free zone by implementing more secure access methods, like biometrics (facial recognition, fingerprints, etc.) and multi-factor authentication, it won’t happen overnight. In the meantime, we all have to do everything possible to make our passwords as secure as possible. That’s why, in collaboration with our cyber security training partner KnowBe4, we’re making available a handy infographic that will give you powerful ideas for creating the most secure password possible. The Complex Password Guide also offers some overall password security tips. You can download it here for free.
To help you understand why the infographic is a must-have tool, we’ll describe here why some of the old methods of password security no longer work and why even some of the new methods are unreliable, if not dangerous.
Not so long ago it became a best practice for companies to require periodic password changes – every 60-to-90 days or so. Unfortunately, users found it difficult to remember a new password every few months. So, a common practice became putting a number at the end of the password and then with each change, up the number to the next highest. For example, P@ssword1 would become P@ssword2, and so on. Hackers being clever and devious, caught on to this and if they get such a password in a hack and it doesn’t work, they just change the final number upward until it does. Oh, and that @ symbol in the example? Hackers are on to that kind of substitution, too.
More recently, Two-factor Authentication(2FA) has come into wider use. After putting in your password you receive a text or email with a code or, alternatively, answer a question to establish your authenticity before being given access to a site. Once again, however, bad actors have figured ways to blow up 2FA.
Currently, users are being advised to create passwords that are phrases that only make sense to them and not to change their passwords unless they know it’s been compromised, for example on a hacked site you’ve visited or where your personal data is stored (think Experian and other well publicized major site hacks). But how can you know if this has happened to you. In many cases, you’ll never know.
Fortunately, hackers tend to take their stolen password, email and other data and post it or sell it on the dark web. Numbers of companies – Avast.com, BreachAlarm.com and HaveIBeenPwned.com, to name a few of the legitimate ones – have created sites where they download the stolen information into databases and make it possible for individuals or companies to put in passwords to see if they’re among the compromised.
It sounds helpful, but it’s dangerous. Every time a user enters a password into a third-party site, he or she runs the risk of being hacked or that the site is illegitimate and that they’re giving passwords directly to hackers. Even the creator of HaveIBeenPwned.com warns visitors not to plug their passwords into the field provided for the purpose on his site. (By the way, Pwnd is not a typo. Internet users created the word to stand in for ‘owned,’ the term used to indicate that someone’s password is stolen – ‘owned’ – by a hacker.)
We recommend to our cyber security clients that they take these searches for compromised passwords off the Internet. Users of the legitimate sites we mentioned are invited to download the databases to a secure, proprietary server and do their searching there. It’s a job best left to cyber security professionals.
Until the day comes when we have a password-free Internet, the more you know about password security and how to build a secure password, the safer your company and employees will be.
If you’d like to speak with Soundshore Technology Group’s cyber security experts, send an email to firstname.lastname@example.org. We’ll be happy to help. While you’re here, please take a look at our full list of cyber security services – growing as we help more and more companies defend themselves against very real and increasing cyberattack threats.