VIII. Thou shalt never reveal thine password for any account to anyone.
Summary:
This is one that should be an absolute no-brainer. Your password is your key to your data and applications. It should be absolutely sacrosanct and known only to yourself and NOBODY else. Nobody else has a need for it, except the evil doers and you wouldn’t give it to them willingly, would you? It couldn’t be simpler than this.
For the purposes of thoroughness, in this article all references to Password also refers to Passphrases, PINs or any other method of gaining access, which is based on something you know.
For a business machine, nobody else needs your passwords. The instant your password is known by somebody else, then that could lead to fraud being committed in your name because your account can be accessed by somebody else. You could potentially lose your job or face prosecution as a result of this. If you are in a company where managers know the passwords of their team, then I’m afraid that company has a very poor security policy and may actually be in breach of privacy laws.
Your IT support provider should not need your password to sign in to your machine. They should have Administrative access over all the machines on the network, so they should be able to see everything they need from their own machines. In situations where they need to remotely see what you are seeing, then they should have tools for taking remote control of your machine. They should ONLY ever do this with your permission.
Even for a home machine I would recommend everybody in the household who needs to use the desktop/laptop should have their user account and password and these really should not be shared. If you are giving your machine in to be repaired, you should probably change the administrator’s account password to something easy for the repair people and then change it back on return.
Finally Microsoft/Apple/Google will not ring you about a virus or other problem on your machine. Eircom/Vodafone/Virgin Media will not ring you about your Internet Wi-Fi. Hang up on these people and JUST NEVER GIVE YOUR PASSWORD TO ANYONE.
That’s all there is to it. I will continue below with some details on the subject of passwords. So if you are not interested in such particulars, just make sure your password is only known to you.
Detail:
Most common passwords:
This is the 2015 list of the top 25 most commonly used passwords (the 2014 chart position is in parenthesis):
1. 123456 (Unchanged)
2. password (Unchanged)
3. 12345678 (Up 1)
4. qwerty (Up 1)
5. 12345 (Down 2)
6. 123456789 (Unchanged)
7. football (Up 3)
8. 1234 (Down 1)
9. 1234567 (Up 2)
10. baseball (Down 2)
11. welcome (New)
12. 1234567890 (New)
13. abc123 (Up 1)
14. 111111 (Up 1)
15. 1qaz2wsx (New)
16. dragon (Down 7)
17. master (Up 2)
18. monkey (Down 6)
19. letmein (Down 6)
20. login (New)
21. princess (New)
22. qwertyuiop (New)
23. solo (New)
24. passw0rd (New)
25. starwars (New)
If you use one of these passwords, then you might as well not have a password, as these are going to be the first passwords attempted by any hacker.
Some might say that #4 and #22 look a bit complicated – until you look at the keyboard and see that these are the top row of letters on an English language keyboard.
#15 looks like a real complicated password, doesn’t it? Look at the keyboard again, it is a key sequence running down a column of keys from the top row, left hand side to the bottom row and then the next column of keys.
Some of the other passwords, that are actual words, have originated from popular culture. For example #16 came as a result of the popularity of Game of Thrones. #21, #23 and #25 showed up as new in 2015 as a result of Star Wars Episode VII, The Force Awakens.
Somebody knows my password:
I would say change it immediately, however lets be practical here. If you change the password in a rush, you’re likely to forget what you changed it to. Take your time and read on here for further advice.
Every application/website needs its own, unique password:
I’m sorry – but this is absolutely ESSENTIAL (note emphasis), as reusing passwords is simply begging for trouble. Just ask Mark Zuckerberg (CEO of Facebook). He used the same password (and it was poor password at that) for LinkedIn, Pintrest and Twitter. When LinkedIn was hacked in 2012, the list of all e-mail addresses and passwords of its members at that time were stolen. This list was recently released and some enterprising evil doers tried Mr. Zuckerberg’s e-mail address and password from that list on Twitter and Pintrest and compromised his accounts.
This doesn’t just happen to high profile people, but normal everyday people like you and I. Here was another case of these leaked e-mail addresses and passwords being tried by bad guys on other services.
Certainly turning on Two Factor Authentication (see Commandment VII) would provide a great additional layer of protection, but not all sites provide this facility so it cannot be relied upon.
Creating unique passwords for every application or website can appear daunting, but it can also be very easy. All you need to do is come up with a method for creating the password that uses attributes of each application or website to generate the password. As long as you can remember the method for creating the password, then you should be in good shape.
There is an entire module in the Security Awareness Training that L2 Cyber Security Solutions deliver which gives a couple of suggested methods that generate incredibly complex passwords, but as long as the method is known, they are easy to re-produce. Contact us, to find out more about the training course.
Choosing a password:
Proper words make for really bad passwords, as one method hackers use to break a password is what is called a Dictionary Attack. This is essentially like throwing the Oxford English Dictionary at somebody’s password.
You might think you are being clever by substituting different characters in a proper word – e.g.- P@$$w0rd. I’m afraid they tend to be wise to those techniques and will try them too.
Your password needs to make no obvious sense to anybody other than you. It should also be reasonably long – I would suggest 12 characters as a minimum. The longer the better as it makes it harder for the bad guys to crack. Make sure there is a mix of uppercase, lowercase, numbers and special characters.
How about a passphrase:
A passphrase is a password that is made up of a sequence of proper words. For example “ItWasTheBestOfTimes” or “MaryHadALittleLamb”. Passphrases are quite a good idea as they typically make the password very long, which makes it much harder to crack.
However my two examples are probably too iconic and would likely be attempted by the evil doers. Chose something more obscure like the third line of lyrics in a verse of a favourite song. Also add a little complexity by incorporating at least one number and a special character. So this might give us “R3memberTh3Sh@man” – that is 17 characters of pretty decent passphrase right there. (One Attaboy for the first person to identify the song without using Google/Bing/Yahoo J)
Obviously it takes time to type in 17 characters, but as you keep using it, your muscle memory will kick in and make it a doddle to type in after a few days. If it’s only something you need to do once or twice a day it wouldn’t be that great an inconvenience.
I tell my browser to remember my passwords:
STOP! Don’t do this anymore. Your passwords are effectively stored in an open file on your machine and are easily accessible by any evil doer that can get into it.
I store my passwords in a password protected Excel spreadsheet:
While this is OK-ish, there are a lot of utilities out there that crack the passwords of Excel spreadsheets.
Refer back to Commandment VI about encryption. Using compression utilities or purpose made encryption software to scramble the password spreadsheet would be a far better idea.
How about a password manager:
If you really are struggling with the whole topic of passwords, then get yourself a Password Manager. This will store your usernames and passwords for each and every site in a secure database and will pop them into the appropriate places on the log on page. They will even generate incredibly complicated passwords that even you won’t remember, because they will do the remembering for you.
There are plenty of free ones available and some that have free and paid versions. You must make up your own mind about which one is for you. There are some which only work on an individual device, as they store the password locally. So if you have a desktop, laptop and smart phone, this kind of password manager would not be appropriate. You would be better off going with one that has a cloud option, where the password database is on the internet and can be synchronised across the devices and platforms.
You should ensure that you are backing up the password database appropriately in case of a failure of the machine. This is most important where you are using the password manager to generate the passwords for you.
Finally bear in mind that, because of the nature of their business, Password Manager vendors are significant targets for the bad guys. There have been breaches in the past.
Conclusion:
If you have any comments, suggestions or questions on the above, please leave a comment below.
Do you have a Commandment for Cyber Security to add or any thoughts on those that I have listed, if so please let me know and I will do a follow up after I have completed the run through.