Always remember the unpleasant fact that you can and probably will at some time get compromised. It may or may not be due to a mistake. Following the best practices around how to secure password curated by our research team will help you improve your security posture considerably.
It will also help you to contain the damage if one of your accounts gets compromised.
Most of the information related to “how to secure passwords” across the internet is obsolete and not helpful for 2021. Further, we will also keep this information updated, so a good idea will be to bookmark this page and revisit it later.
1. Review your security settings for critical accounts
This is the first and most crucial point. Go to security settings in your accounts and review the configuration. Most apps out there now allow or support two-factor authentication. In addition, you can use an Authenticator or phone/email verification. Choose that right away.
Anything which requires a higher level of security must have a three-factor authentication.
Change or update your security questions/answers at least once a year. For example, Instead of the City, you were born, anything more recent, like who was your last manager, will have a higher level of security. Remember, just meeting the password requirements will barely keep you safe.
2. Go passwordless if the website or application supports
Going passwordless will be a good idea as we see a focus from the Industry in that direction. Authenticator applications generate a sequence of digits in your smartphone app, and you will use these digits to log in to different websites or applications. This method is evolving. Microsoft Authenticator has already started offering passwordless login using a fingerprint, face recognition, or a PIN.
For more details about passwordless authentication, please refer to our post regarding passwordless authentication here.
3. Use unique passwords for all accounts
Do not use the same password for more than one account. Also, do not repeat the passwords.
Several websites allow you to use your email address as a username. It’s super easy (and stupid) to use the same password as your email. It will put you at a much higher risk of loss if one of your accounts gets compromised.
4. The key is “length” and not complexity
The number of characters is the ultimate key to keep yourself protected. Anything more than 12 characters (yes, we are in 2021) should be good. We would recommend you reduce focus on password complexity requirements. Remember each character you add to your password will exponentially increase the number of efforts to Brute Force it.
Once the attacker realizes it’s difficult to crack your passwords, in the interest time, they will move on.
So using phrases or sentences instead of words will get you a stronger password.
5. Do not use dictionary words, but phrases are ok
Password guessing (using a dictionary) is the most common way for attackers. The worst passwords ever are dictionary words, adjacent keystrokes (asdfg, qwerty), usernames, pet’s name, date of birth, daughter’s name, date of birth, etc.
Most of this information is probably available over the internet or the dark web due to continuous data scraping from social media platforms, including Facebook and Linkedin. Data Scraping is a severe threat, and you should be more considerate about sharing personal information on these platforms.
6. Change your passwords once every quarter
It may very well be possible that one of your accounts might have compromised or leaked. Changing your password once in three months will be a good idea.
If you see anything suspicious in any of your accounts (yes, including Netflix), immediately change your password and security questions.
7. Avoid storing passwords in plain text
Do not store all your passwords in one place. If you do that, make sure it’s hidden at all times and keep the list encrypted. In addition, we strongly recommend using a password manager, as it will save you a lot of headaches.
8. Do not get sloppy
Do not ever get sloppy. Remember, Hacking isn’t that easy; most attackers try to exploit the easy targets. When they find that it’s probably challenging to target you, they will just move to the next target. They also love their time, like us all. So keep yourself updated on the latest news and information around security.
If you are an app developer, you may like to check NIST 800-63B guidelines around Authentication and Lifecycle management.
9. Understand how attackers are targeting you
Following are the most common attacks observed in the wild to get or crack your password:
A dictionary attack is when the attacker tries to guess a password by trying many common words and their simple variations. Often attackers use a leaked password list, a list of common passwords, characters, actor/actress names, etc.
Brute Force Attack
A Brute Force attack uses all possible combinations of keywords, special characters, and numerics in trial and error methods. While the technique is quite old, it’s still prevalent, and hackers continuously work to create a more efficient algorithm to crack the passwords.
Spear Phishing attack
In Spear Phishing attack, attackers use social engineering using fraudulent email messages, phone calls, or text messages to trick the victim into revealing sensitive information. The goal is to steal sensitive data, for example, credit card or login information.
Attackers can later use this information for financial fraud or just to install malware on the victim’s machine.
These attacks are getting more sophisticated and challenging to detect in time.
Spear phishing messages will almost always highlight a sense of urgency; this is one of the warning signs of Spear Phishing attacks.
Phishing attack uses emails primarily to trick the victims in to clicking over a malicious link or opening a file with macros. Unlike Spear Phishing, these messages are not personalized to the victims and are usually sent to many persons.
We hope you liked this information on how to secure passwords in the modern world. What do you think about it?
Please do share your thoughts and write to us.