Passwords are still a big part of our daily digital lives. So here are some password tips from top security experts to help you stay safe online.
Passwords have become somewhat of a thorn in the side of many cybersecurity experts. When it comes to advising people about the best way to stay safe online, security professionals are often quick to suggest going passwordless where possible and switching to other methods of verification.
This is because passwords are one of the biggest gateways to data breaches. According to the 2019 Verizon Data Breach Investigations Report, 80pc of hacking-related breaches involved compromised and weak passwords.
However, from speaking to security experts such as Keeper Security CTO Craig Lurey, it seems we must resign ourselves to the fact that passwords are here to stay, at least for now.
So, what can be done to boost your security online? We’ve rounded up a few password tips from some top security experts.
Avoid dictionary words
Michael Green is a senior cloud security consultant at BSI Cybersecurity and Information Resilience Ireland. One of his top password tips is to avoid using words from the dictionary, especially words that could be guessed based on information about you that might be in the public domain.
“Use passwords of sufficient complexity and length,” he said. “Do not reuse passwords across apps and websites. I would also add that people should avoid reusing passwords with modifications such as incrementing a number at the end or adding a special character, as this is something that an attacker may attempt also.”
Check for breaches
Green also advised checking if your account has been part of any known breaches. This can be checked on sites such as Have I Been Pwned?.
“If credentials are found to be part of a breach, the user needs to secure the account in question by resetting the password, reset the backup security questions and one-time backup codes, check for and remediate any forwarding rules, and otherwise secure the account and any other linked accounts whether they be linked via shared passwords or something else,” he said.
Engage in secure web browsing
Lynn Simons is the senior director of security awareness and engagement at Salesforce. She said every user should make sure they engage in secure web browsing, especially when logging into accounts.
“Check to make sure every website you interact with is secure. Depending on the browser, this may show up as a lock symbol next to the URL (Chrome) or https:// (Safari).”
Consider a password manager
To avoid the dreaded fatigue of trying to remember so many different, regularly changed passwords, Green and Simons both recommended using some form of password manger.
“There are various types and different vendors that people can utilise to strengthen security by generating and storing complex passwords for each site or application,” Green said. “Also evaluate the security of the password manager itself, due to the sensitivity of what is stored within it.”
Simons namechecked LastPass as a tool to securely store passwords, notes and other sensitive data.
Reduce your apps
Another important consideration for users is that the number of apps they use and engage with can increase their risk of being hacked.
“Everything is connected, so properly review the apps that are installed on devices from a security perspective and be equally careful with the web apps and sites that are used,” said Green.
“For every app that is not installed and every site that is not used, a user is reducing their attack surface. Do users really need to use a potentially risky web app to convert a Word file to a PDF or does Word have a native option to do that for the user? Yes, Word does. If installing an app on a phone that superimposes animal masks on your face, for example, does this app really need to access certain data on the user’s phone such as microphone, emails and address book?”
He strongly encouraged users to think about the permissions they grant the apps they use before clicking ‘yes’.
Use multifactor authentication
As well as good password hygiene, other methods of security should be considered as well. Jenn Markey, director of identity at security company Entrust, said: “Requiring a password plus one or more added credentials, also known as multifactor authentication (MFA), is a good way to prevent unauthorised account access.”
These other credentials could include one-time passcodes or biometric information. However, just like passwords, MFA is just one cog in the cybersecurity wheel and there are different types of MFA that come with different levels of security.
Switch to passwordless
While passwords continue to be a common part of our daily lives in the digital world, many security experts still vouch for switching to a passwordless model.
“Despite the continued reliance on the password model, my top tip would be, rather ironically, to move away from it,” said Jason Soroko, CTO of public key infrastructure at cybersecurity company Sectigo.
“Password managers have experienced a growth in popularity and yet this model is still far from perfect. If your endpoint is compromised with a key logger, a complex username/password will not help,” he said.
And while Markey is an advocate for using MFA along with passwords, she ultimately said opting for a passwordless system is best.
“Instead of passwords, business leaders should work with their security and IT managers to implement and deploy high-assurance credential-based passwordless authentication that merges the power of digital certificates with smartphone biometrics to create an employee’s trusted workplace identity, wherever that workplace may be,” she said.
“By eliminating the password, you effectively protect your organisation from phishing attacks, which minimises the risk of a data breach.”