The internet has become integral to our daily lives. And managing everything, from banking to healthcare, through websites is now part of our routines. But with this convenience comes a question: how can we maintain good cyber hygiene and protect our sensitive information? Keep reading to get answers!
Do’s and don’ts of creating rock-solid passwords
Don’t: use common passwords
Popular passwords are vulnerable to spraying attacks. During those, the attacker tries to break into your account using a list of the most commonly used passwords.
In order to prevent this type of attack, you want to avoid using sequential numbers or letters like “12345” or “qwerty”. In fact, even in their longest versions, they are too weak to prevent someone from accessing your accounts.
Passwords such as “sunshine”, “cheese” or “Iloveyou” are certainly a testament to your tastes or affections, but they won’t resist more than seconds to attacks, as they are very simple and widely used. And let’s not mention the infamous “password” or “letmein”.
Lastly, strong passwords given as examples on various websites are not sound choices either. Indeed, as soon as a password is rendered available to the public, it will most likely end up in leaked password databases. So it can’t be used to safeguard your account against attacks.
Don’t: use personal info or full words
Sharing personal information on social media has become an everyday occurrence for a lot of us. All it would take is a google search to uncover family first names, towns names and birthdays and that’s why they are to be avoided when creating passwords.
The same is true of full words. Why? Because including common names in your passwords exposes them to what is know as dictionary attacks. These attacks rely on databases that contain words, frequent or compromised passwords, their leetspeak equivalents (language based on replacing letters with look-alike numbers or special characters), etc.
Some experts recommend switching a few characters in common nouns to bypass those vulnerabilities, when is comes to creating passphrases. The idea being that long, easy-to-remember passwords are more secure (since they’ll actually be used) than passwords containing an abundance of impractical special characters. Nevertheless, databases used in dictionary attacks already contain a number of substitutions. So, if you would like to use this method, you will have to come up with your own unique substitution system.
Do: go for at least 12 characters
And up to 40.
This minimum aims at protecting yourself from brute force attacks. The more combinations someone would need to go through to find your password, the less likely it is to be discovered.
But why 12, when a lot of websites require users to create 8-character passwords? The answer: best practices evolve. As the technical means of cybercriminals improve, online security standards must adapt to keep up.
And those 4 additional characters make a tremendous difference. In fact, a string of 12 characters can be arranged into 7.8 million times more combinations than there an 8-character one. In other words, when it comes to passwords: size does matter!
Do: use 4 types of character
Using a mix of digits, upper and lower-case letters and symbols increases the number of combinations needed to find your password. However, adding a character to your password increases its strength more efficiently than replacing some letters or digits with special characters.
While they don’t play as important as a role when it comes to preventing brute force attacks, they can be used to avoid dictionary attacks, as we touched on earlier. Additionally, special characters can add a random factor to your passwords.
Do: make it memorable
Long passwords containing symbols tend to be the strongest but also the most complicated; so how can we remember them?
There are a few options:
- Use the first letters of a sentence
- Try phonetics
- Create a passphrase rather than a password
It’s perhaps one of the easiest techniques to create long strings of characters. But you’ll need to follow some rule to ward off dictionary attacks: avoid famous quotes and song lyrics, add another level of difficulty (made-up or uncommon words, random series of characters to replace a word…), replace a word by a password (using the first letter method).
- Your very own method!
This is probably the most secure choice, as long as you go by the recommendations we have discussed so far!
There is another way around the memory issue, which we will tackle later: password managers.
Do’s and dont’s of properly using passwords
You did it, you found a technique to create strong passwords tailored to your needs! But you’re not done yet. Part of maintaining your accounts’ security is implementing some good cyber hygiene.
Don’t: communicate your passwords to anyone
You are now familiar the main types of attacks your passwords can fall victim to. Let’s take a look at a third and quite versatile one: social engineering. Multiple methods fall under the social engineering umbrella, but most of them aim at tricking users into giving out information or logins.
Phishing is one of these methods. Netim will never ask for your password and the same goes for all trustworthy websites. If you’re ever in doubt about an email, check the sender’s address and don’t click on any links it might contain. Instead, go to the website the email is supposed to be from in another tab and check the information for yourself. You can find a list of good practices in our article: “Phishing, how can you prevent yourself from this fraudulent practice?”.
Don’t: write down or enter your passwords anywhere
Whether it’s on a post-it note (perhaps stuck to your computer screen) or a text file, writing and saving your password without encrypting them is a bad idea.
Do you use public, shared computers? Be careful. Programs known as keyloggers can be installed on machines to monitor and record every keystroke you make. Similarly, public wifi can be unsafe by exposing your information to interception. In this situation, using a VPN can help keep your data safe.
Do: update your passwords
If you suspect someone has logged in to your account, if a data breach has occurred or if you typed your password on an unsafe device or website: update your password as soon as possible.
In addition, some websites offer a login history to monitor when and where your account was logged into. Others, like Netim, also have login alerts options so you can be notified whenever someone accesses your account. Both features provide a way to make sure your password hasn’t been compromised and used.
You also want to avoid keeping default passwords some websites use to set up your account. In the same way, recycling passwords you already used for one of your accounts is not recommended. They won’t protect your data as they should as they are at risk of already being in the possession of third parties or stored on cybercriminals’ databases.
Do: stick to the “one website = one password” rule
An account getting compromised is already bad enough, you don’t need it to morph into a security breach affecting all your accounts. But that’s precisely what can happen if you use the same password to secure all your accounts. The best way to prevent it is not reusing passwords (even rock-solid ones).
Another point to consider: changing one of the password’s characters doesn’t solve the problem. And it’s especially unsafe if the change follows any predictable pattern (password1, password2…).
While having a strong password is crucial, it’s not always enough to make sure your information and accesses are secure. Security breaches and sensitive data leaks are perhaps the most glaring examples of that problem. We recommend that you take some extra precautions to minimise the risks of your data being exposed.
Multi-Factor Authentication (MFA)
MFA involves adding one or several authentication factors in addition to passwords. Authentication factors can, for example, be something the user has (smartphone, smart card, U2F key) or is (biometrics). On the web, the most common multiple factor authentication method is one-time codes sent via text message or tokens generated by a Two-Factor Authentication (2FA) application.
Over the last few years, 2FA has established itself as a standard in account protection. And rightly so: with 2FA, even if your password gets compromised, your account is still safe behind an additional layer of security. Multiple websites, including Netim, offer this feature.
While remembering a few passwords is a reasonable expectation, the task verges on the impossible when you have dozens of user accounts. Thankfully, a solution to this problem exists: password managers.
These programs store your passwords in a “virtual safe”, behind a master password. Said password should be as strong as possible, so appling all the suggestions discussed above is highly recommended. In addition, choosing a password manager with Multi-Factor Authentication is also a must.
And to increase the security of your passwords even further, encryption plugins can be added to some managers, like KeePass (free and ANSSI-certified).
After reading our tips, you might be questioning the usefulness of the security questions used to update passwords or verify your identity. And you would be right to do so, as they present the same risk as creating passwords containing personal information.
If the option is available, create custom security questions. This allows you to ask for facts that no one else has knowledge of or access to, even if they scoured your social media for info. Another solution is to give false answers to default questions or to modify them according to a code.
Any website promising to “test out” the strength of your password is best to be avoided as well. Despite what is advertised, there’s no guarantee what the tested passwords won’t be saved and stored.
Computing capacities are ever-improving and data leaks are becoming more and more common. Security measures need to evolve accordingly to stay ahead of the curve.
Soon, passwords may disappear for good, replaced by U2F keys or other identification methods. In the meantime, it’s essential to remain vigilant in keeping your accounts and personal information safe from cybercriminals.