Ten tips for user password security

I recently wrote an article called What the Hack, in which I discussed the spate of hack attacks happening at the time. Unfortunately, not much has changed since then, and we keep on hearing of more and more password leaks, hacks, identities being stolen and loss of personal information. One of the password leaks that made headlines was that involving the loss of millions of Adobe passwords.

Social media platforms were a recent target with around two million login credentials of users on, among others, Facebook, Yahoo, LinkedIn, Twitter and Google. Security firm Trustwave discovered a trove of login credentials. When you analyse the different credentials, it’s alarming to see that a substantial number of people still use passwords that are so easy to guess. The most common passwords are:

1.      123456
2.      123456789
3.      1234
4.      password
5.      12345
6.      12345678
7.      Admin
8.      123
9.      1
10.     1234567

If you’re an IT admin, we don’t have to tell you to use strong passwords; but many people you know probably can’t be bothered putting some effort when choosing a password, let alone consider the risks. We’ve put together some dos and don’ts for you to pass on to family, friends, colleagues and anyone else you know would need it. You may need to be a bit more insistent.

1. Never use a simple password such as those above - it is a guarantee that the account will be compromised at some point. Do not use the following as a password: any sequence on your keyboard (qwerty, qwertyuiop, asdfghjkl, poiuytrewq, zxcvbnm), your name (or any name), your surname, your date of birth, or anything else which is easy to read or type. Don’t use dictionary words. Rule of thumb: what is easy for you to remember is probably easy for someone to guess!

2. Do use a complex password or passphrase for your most frequently used websites and office credentials. Use a phrase that makes sense to you, but to no one else; use mixed case, punctuation marks and symbols, and make it long. You will get used to it once you use it often. Here are some examples of complex pass phrases: Mycatisn0tgrumpy!, Mydogbump5intowall$, IS1ngwhenIc*ok, Iwillr3tireat40$$. You get the gist.

3. Do check your password complexity against the Password checker.

4. Do use a separate password for each website you have an account with. Do NOT re-use passwords. When you re-use a password you are making it easier for a hacker who compromised a single password to get access to ALL your accounts. Even if you use a complex passphrase such as those in 2, do not re-use that passphrase.

5. Do enable two-factor authentication (2FA) whenever it is available. Google, Facebook, Twitter all allow you to enable 2FA. This will generate a time-limited token (usually a text message on your phone) or a password generated by an app such as Google Authenticator.

6. Do use a password manager to store your passwords - especially the ones used for websites you don’t use often.

7. Do not use the password manager for passwords where you have sensitive information such as credit card details. Your office login and password, Paypal, Google, Facebook, Amazon and your other sensitive information accounts should NOT be stored in your password manager.

8. Do not store payment information such as credit card numbers in your email account (for easy access).

9. Do protect your passwords from prying eyes; never reveal your password(s) to anyone.

10. Do change your sensitive website account passwords regularly. It’s better safe than sorry.

*David Attard is WebMonitor Product Manager at GFI Software.