Like it or not, the first line of defence against cybercrime are your passwords (and your employees’ passwords). They log you into websites, systems, and software which hold your most critical business and financial data; and they give your IT admins the ability to make changes to the configuration and security of your computers and networks. So, the management of passwords is hugely important.
Resetting Default Ones
The first thing to look at when managing passwords, is making sure you have reset any default passwords on routers, firewalls, switches, wireless access points, and any other equipment installed on your network. Most network equipment will come with a default password which is either available online, or on a sticker attached to the device. These “default” passwords need resetting to something secure that only you know.
Choosing Good Ones
OK so you know you need to change the password to something secure, but what does that mean?! There has been so much guidance over the years, but let’s keep it simple:
– Longer is better, make sure your password is at least 12 digits long. It doesn’t need all the complexity of capital letters and number and symbols, just make it long. A short string of words can help make it memorable. For example: ilikebrowndogsandpinkelephants is 30 characters long, but pretty easy to remember and type.
– Make sure it is unique. If a password does get breached, cybercriminals will try to use it across as many different systems as they can. Make sure you have a different password for each of your logins.
– Avoid common words and phrases. Whilst studies differ slightly, you only have to search for “most common passwords 2024” and you will see the repeat offenders. 123456, qwerty, password, secret, etc. Hackers are not stupid and they carry out “dictionary attacks” where lists of common passwords are automatically tried. Also avoid things that could be easily guessed about you, like the name of your company, part of your address etc.
Password Managers
Right, so you want me to choose long passwords, and make them unique. But I have over 100 different logins! How on earth am I supposed to remember, and accurately and quickly recall all these passwords!?
Password managers are pieces of software which help you to create secure passwords, store them securely, synchronise them across your multiple devices, and automatically fill them in when needed. By using a password manager to manage your passwords you will only have 1 password to actually remember (the master password for your password manager). And you will need to protect that by using 2-factor authentication – more on that later!
Some password managers will even show you the strength of your passwords, and search the dark web for evidence of your passwords being breached; allowing you to take proactive action to make sure your passwords are strong and secure.
Most browsers, including Chrome and Edge, allow you to store passwords. Personally, I advise against this. Anyone with admin access to your computer can extract your passwords from the browser, there have been many recent examples of malicious browser plugins harvesting users’ passwords, and it is far too easy for users to install browser plugins without anyone from IT from vetting them first. So, when it comes to storing passwords, I would use a dedicated password manager every time.
Identifying Compromise
Assuming you now have each of your logins protected with a nice long password, unique to all your other passwords, stored safely in a password manager; what next? The hope is that none of your passwords will ever get breached, but what if they do?
There are several ways that cyber-criminals might obtain your password.
– They might guess it. Using sophisticated software to attempt to log into one of your accounts until they are successful. To protect against this, configure your accounts to lock after 10 incorrect login attempts where possible.
– They might steal it. Using malware (a virus) installed on one of your devices to record keystrokes and identify username/password combinations, or extract saved passwords from Chrome or Edge; or using a hardware (USB) device to log keystrokes.
– They might trick you into entering it. By sending carefully crafted “phishing” emails, people can be tricked into entering their password into fake websites.
– They might steal it from someone else. There are several famous examples of cloud providers like LinkedIn, Adobe, Yahoo etc. being hacked, and usernames and passwords being stolen – then put up for sale on the dark web. This is one good reason to user a different password for each account!
Some good password managers will check Dark Web sites for stolen credentials and warn you if your usernames/passwords have been breached. There are also some free sites such as www.haveibeenpwned.com where you can check whether your email address exists in lists of breached accounts.
If you are made aware of a password being breached, the first thing to do is to change it. If your login is protected by 2-factor authentication then hopefully the hackers have not been able to get into your account; but it is worth checking with your IT Team, just in case.
Beyond Passwords
So now you should have implemented strong, unique passwords across your organisation and have a method for you and your staff to store and remember your passwords. But as we have noted above, this is not fool proof, and there are many ways that passwords can be stolen.
To protect against this, you should implement 2-factor authentication, sometimes called 2FA or MFA, on every account that supports it, starting with the most critical ones. This way, even if a password is stolen, your account cannot be accessed. If you need some help doing this please give us a call and we will be happy to point you in the right direction.
How can we help?
If you feel you would benefit from some help managing your passwords, First Stop IT offer a powerful and easy-to-use password manager as a standalone product and as part of our Advanced Managed Security Bundle. Just drop us a message for a no-obligation chat to see if we can help.