Most of the passwords you are using daily are possible to break. It’s important that you know how to make them as complicated and time-consuming as possible for the cyber criminals to break so that they will move on to an easier target.
It’s quite simple: if you find your password to be easy to remember, then it most likely is also easy for a cyber criminal to figure out. At the same time, we’re expected to memorise our passwords, and they should be unique, long, and complicated.
For a cyber criminal using a password cracking machine, it will take more time – and cost them more money – the stronger the password is. That is why, they will always look for the path of least resistance, to make sure they are not wasting their time.
What is the weakness of the passwords we have today?
Your passwords can be leaked through a data breach, for example, because a company has not stored them securely. We can also fall victim to social engineering attacks, phishing attacks and other frauds.
The theft of credentials, and the sale and distribution of these, for
criminal activity is unfortunately lucrative and will continue as long as we have password logins.
However, the biggest weaknesses when it comes to passwords are the users themselves.
Users create weak passwords, and oftentimes use these in multiple places—both at work and in private settings. These passwords are often stored in insecure places. Feel guilty of leaving your password on a post-it note on your desk or in a note on your mobile?
Not to mention that we tend to forget our passwords, and therefore have to reset passwords often using a password reset link in an email. This can also be risky if someone gains access to this email.
What is considered a strong and a weak password?
A password is considered stronger the longer it is, and it is recommended that it should be no shorter than 12-15 characters. In addition to this, the password should contain the following elements:
- Special characters such as: ! @ # ? and so on
- A combination of capital and lowercase letters
- Accents (è, é, â, î or ô and so on) if the system supports it
- A random sequence of characters
It might be a good idea to use a passphrase so that you more easily remember it, and combine it with all of the above, such as special characters, numbers, and spacing.
To make it even stronger, you can use phrases that are typical for your accent or insert some spelling mistakes that only you will remember.
Also read: Password security tips from our experts
What characterises a weak password?
A weak password on the other hand is short, a well-known word many people use or a well-known piece of information, and also something obvious that should be avoided at all cost.
This can be for example your name, the name of your company, your favourite sports team, your dog’s name, or this in combination with an easy number combination such as 123 or 111.
Did you know that one of the most common colours used in, or as a password, is the colour “blue”–the colour of Twitter, Facebook, and Linkedin’s logo? This is a good example that most people might not be particularly creative when choosing a password, but choosing whatever is literally under their nose, making it very easy for cyber criminals.
“If your email account is taken over by cybercriminals, they can effectively gain control over all your other Internet accounts. The strongest defence you have against this is a strong, unique password coupled with two-factor authentication,” – Christian Andersson, Security Engineer in Tripletex.
Even your passphrases should not be too obvious as a cyber criminal will have access to most lyrics, movie scripts, books, TV shows, languages, and so on, and with the right tools will be able to compare it with your password in a matter of seconds.
There are also popular passwords that are based on keystrokes such as for example “qwerty”. These should not be used. In addition, you should not change your password on a regular basis, unless you suspect that you have been part of a breach and that your credentials and passwords may have been leaked.
Changing your password too often can result in bad passwords since many will choose a more effortless route and create a password too similar to the old one.
You might also be interested in: 14 tips for staying secure at the home office
What is a password manager and how can it be used?
Passwords can be hard to keep track of. Just think about how many different accounts and platforms you log into during a day, both during work hours and in your spare time.
To keep our data safe, we are expected to have strong, unique passwords on all these accounts. Oftentimes, we need to create new variations of these passwords.
One survey carried out by the password manager company LastPass shows that the average user manages a total of 191 passwords.
So, how can we possibly remember all of them?
Experts often recommend using a password manager, because it is nearly impossible to have complex, unique and different passwords everywhere you log in–and still be able to remember all of them.
A password manager is a computer program, or more specifically an encrypted database. Here, users can store all their passwords and login information, or generate passwords, for all their different logins around the web. The only thing you need to remember is your master password to access all your other passwords and login information.
Depending on the service, they can create complex and unique passwords for all your accounts and help keep these protected by storing them securely.
It can also be synchronised across your devices. This makes it easier for you to access your accounts no matter if you’re on your mobile phone, your laptop or tablet.
It is crucial that your master password is strong, unique and complex, as it’s guarding all of your passwords.
Nowadays, most password managers are cloud-based, meaning that you can use the same account on all your devices no matter where you are.
Most password managers do not sit on data that can be stolen by a cyber criminal. That is because they use the security model ‘zero knowledge’, meaning that the password manager provider does not have access to your passwords. If the provider should be hacked, no user data can, therefore, be compromised.
Some examples of password managers are Lastpass and 1Password. There are many different password managers to choose from, so in order to find the one provider that fits your needs the best, you should always take the time to do research online before making a decision.
What are the benefits of using a password manager?
The main benefit of using a password manager is the convenience they provide. They make it easy to follow password policies that dictate long, complex and unique passwords without having to remember them all. Organisations and companies can also have individual vaults for all employees.
It is also easy to manage shared accounts without having to share passwords with all users. Some password managers will also provide you with a randomly generated password, making sure that
it is strong enough and that it has not been used on any of your other accounts.
The password manager will also keep your password available for you no matter where you’re logging in and on what device. Once you have logged in once, it will automatically fill in your username and password the next time you’re visiting that page.
What is 2FA/MFA?
Another way to make it more difficult for cyber criminals to access your passwords is through two-factor authentication (2FA) and Multi-factor authentication (MFA). These are electronic authentication methods where you’re granted login access only after having gone through two or more steps to prove your identity.
This is a very effective way to secure your accounts and often comes in the form of the classic password or pin code, followed by an extra layer such as a randomly-generated code either sent to you by SMS or generated through an authenticator app installed on your phone.
It can also be the use of a physical token, key or bank card, or biometrics: fingerprint on your phone, facial recognition, and so on.
What is the future of passwords?
If password security is such a pressing issue, how come we still have passwords? At the time being, there is not yet a solution that all vendors have been able to agree upon, and commit to. There is also the fear of changing something that works.
There is a fine balance between easy to use, scalability, complexity of technology, and resources. Humans and companies have a tendency to favour convenience and tested solutions, and that often comes at the expense of security.
So, what alternatives do we have for the future, then?
Even though many of the alternatives also have their limitations, we have seen many new options emerge over the past years. There is biometrics such as fingerprints, voice identification and face recognition with cameras that have become available.
Such solutions can cause some privacy issues. Also, it is still an expensive technology and a bit complex for everyday use on multiple
devices, platforms, and sites.
Mobile devices can also be used. The downside? That can in some cases
be impractical: if you don’t have a smartphone, run out of battery, or any other situation where you find yourself without a phone. It can also be vulnerable to man-in-the-middle attacks.
Another solution that has been up for discussion is public key infrastructure (PKI). This is a technology used for authenticating users and devices through encryption. It is a complex infrastructure, and it takes a great number of resources both financially and administratively.
Two-factor authentication with a physical token is another option. This is a field where there will likely be major changes in the future. The technology develops rapidly and we’re moving closer and closer to quantum computing, which will probably be the end of passwords as we know them.
Do you want to learn even more about password security? Watch Security Evangelist Per Thorsheim’s talk “Passwords are forever!” from the Visma Security Conference 2020.
Or read more blog posts about security and cyber crime on our Security category page: