Password security and why it is important
With all the news of data breaches by major companies such as Yahoo having multiple data breaches reaching over a billion accounts, or Apple iCloud being accounts hacked, password security and protecting your accounts is a big concern, or at least it should be.
First line of defense
Security experts are still not sure if this new group of hackers attacking Apple by threatening to remotely wipe millions of iPhones and iPads is a legit threat yet or not. But it has recently been reported that they did not directly breach Apple iCloud services. It is believed they have obtained the passwords from other sites and other services data breaches such as Adobe, Dropbox and LinkedIn to name a few. You may be asking, if they obtained the passwords from different services then why would I have to worry about my iCloud account? The reason is because many people have a hard time remembering passwords so they use the same (or at least a handful of the same) passwords across several web sites and services. As the first line of defense against protecting your online accounts it is extremely important to use different passwords on every single website and online service. Especially the ones that do not offer two-factor authentication.
What is a strong password?
The second thing you should do is make sure you create a “Strong” password. You may ask, what is a strong password? Unfortunately, this is a very debatable discussion. Many security experts recommend that your password should be at least 16 characters in length. The length of the password, in many security experts opinion, is more important than the overall complexity of the password. Many sites have a password policy that require a combination of symbols, numbers, uppercase and lowercase letters. But if the password is repeatable, uses dictionary words and is less than 16 characters in length, then you may want to rethink your password and change it. The length of the password is important because security experts think of password strength in bits. Reason for this is because a 100-bit password would take many years longer to crack than a 20-bit password.
Some of the best ways to create a strong password is to use a password generator. Many of them will allow you to pick the length, include symbols, numbers, lowercase, uppercase, and even set to exclude similar characters. Once the password is generated some of them even will give you some kind of phrase to help you remember it. For example, the example generated password tx6deJL@mXKBaG*fnxWwjR5#2jB8cV might have a phrase of “tokyo xbox 6 drip egg JACK LAPTOP @ music XBOX KOREAN BESTBUY apple GOLF * fruit nut xbox WALMART walmart jack ROPE 5 # 2 jack BESTBUY 8 coffee VISA.” Note this is just for example purposes. We do not recommend you use this specific password.
A strong password that is at least 16 characters in length it greatly improves your overall password security from brute-force attacks. In simple terms, a brute-force attack on your password will go through every possible combination of characters. Hackers are coming up with much smarter ways to brute-force attack passwords though. Many hackers have come up with algorithms that can handle replacing vowels with numbers or use hyphens and underscores between words. Which is why using a password generator is a better idea than coming up with your own password. Password generators are not foolproof by any means, but it is still better than coming up with it yourself.
How can I remember all these passwords?
Remembering passwords is not an easy thing. Because of this issue many people have moved to saving their passwords in their browsers. There are a few issues with this, for one it isn’t the most secure way to save your passwords and two, this doesn’t help you remember your password while using the mobile apps for these services. Some believe the answer to these issues is using a password manager such as LastPass or 1Password. Both have had some very public security concerns. Back in 2015, 1Password had a vulnerability that allowed some developers with some technical know-how to read a user's credentials in plain text (it is important to note 1Password has fixed this vulnerability). LastPass, as we write this, has a major vulnerability that they are working to fix as soon as they can. They urge all users to enable two-factor authentication. So you may ask, what can we do to protect ourselves? The answer isn’t always an easy answer but a combination of things.
Enable two-factor authentication
We fully recommend using two-factor authentication or sometimes called two step authentication which is exactly what it sounds like. Taking two steps to login to your account, by first login using your username and password and then a second step that uses something that the user and only the user has on them such as a phone. When enabled, after you login in using your username or password, it may ask you to also enter a code that is either sent to you via text, email or other means. We advise people to enable two-factor authentication on any service that has the capability. Most security experts recommend using a password without two-factor authentication for low-risk applications, but fully recommend using two-factor authentication on anything that has the capability, especially high-risk services such as your banking website. By enabling two-factor authentication, it is possible to have a slightly less strict password policy (even though we do not recommend that).
- Do not use the same password across services. Always have unique passwords on all websites and services.
- Use a password with a minimum of 16 characters in length. The longer the better.
- Use at least one number, uppercase, lowercase and special symbols that are not in any kind of pattern. Meaning mix it up, don’t put all your numbers and symbols at the end of your password.
- Try not to use dictionary words.
- Try not to use similar characters. ( e.g. i, l, 1, L, o, 0, O )
- Do not allow your web browser to store your passwords.
- Do not log into any sensitive accounts such as your banking on public Wi-Fi, Tor, free VPN or web proxy.
- Do not send sensitive information such as your password over unencrypted connections.
- Do not store your passwords in the cloud.
- Most importantly, enable two-step authentication whenever possible.
If you have a WordPress website, we can help keep your site protected. To learn more about the WordPress Security & Maintenance Services that Red Technologies provides, visit What We Do or give us a call at 612-310-7972.
Disclaimer: We are not certified security experts. We are giving a high-level overview about web security so that you can be more informed about some of the most common security vulnerabilities to look out for when developing or finding a developer. We will also be sharing some resources to help you continue your research on web security.