Security of your accounts and online transactions should be of paramount importance. Yet it is easy to develop bad password habits. Here we highlight some common mistakes and help you to manage your internet accounts safely.
Data security has been a core foundation at Netwealth since day one. We go to great lengths to ensure that the data we hold for you is secure, both at rest and in transit. However, like a physically secure facility, this amounts to nothing if someone leaves the proverbial front door open.
Password management is hard. Estimates vary, but it’s reasonable to say that you use around 100 websites for which you need to remember passwords. Each of these sites demand non-trivial levels of complexity for these secrets, and this creates some problems.
Password fatigue happens to us all. One more website asking for one more password and we think “I’ll just reuse this old one” or “I’ll just use something easy to remember”. The trouble is that we’re just not designed to remember the sort of passwords that websites want us to use. You know the format: “Minimum 8 letters, one upper, one lower, a number, and a strange character”. The ways we deal with this fatigue, fall into one or more areas.
Here are some of the most common mistakes we all make when password fatigue sets in:
Even if it’s a “strong” password, reusing it across multiple websites is dangerous. If any one of these sites is compromised, every site where you reused that password is also vulnerable. Within a few seconds of a successful breach, an attacker will have loaded your details into a bot (an autonomous network program) and tried to access 1000s of the most popular websites.
These are less problematic than reused passwords but are still subject to a similar attack. In the past, I’ve used a reasonably complex suffix with a variable prefix for different sites. For example, FB_3rfjh3ru for Facebook, TW_3rfjh3ru for Twitter etc. It won’t take long for someone to crack your impenetrable code once they get one or two examples.
Using something that’s simple for you to remember is, unfortunately, likely to be easy for a computer to guess. Words are particularly susceptible to “Dictionary Attacks”, and short passwords to “Brute Force Attacks”.
You’ve gone to the trouble of creating unique, strong passwords for all your websites, but you’ve stored them all in a file named “passwords” on your computer or sync’d to “the cloud”. If your machine or your cloud provider gets compromised, your passwords are defenceless.
How password managers can help
While recognising that nothing is perfect, password managers do offer a significant advantage when managing all those passwords. They act like a secure vault into which you store all your website passwords and recall them when you need them. Everything’s encrypted on your device and that encrypted data is then backed up in the cloud.
Passphrase not Password
Password managers are secured using a passphrase, rather than a password. A phrase such as “Once upon a time I went to Cambridge on a number 23 bus” has significantly more entropy than an 8-character password, is easy for humans to remember, and very hard for computers to guess.
Unique, strong passwords for everything
Password managers are great at generating strong, unique passwords for all your website logins and, the best part is, you don’t need to remember any of them!
Phishing is too big a topic to cover here, but it’s essentially the act of tricking you into divulging sensitive information or secrets. If you were to receive an official-looking email from, say, Barclaycard asking you to click a link to www.barcIaycard.com and log in, you’d probably not notice that the link is using a uppercase i, rather than a lowercase L – it’s not the site you think it is.
An attacker could have created a very realistic-looking website at that address, and you’d see no danger in giving it your username and password. Password managers can spot the difference, though, and would not offer you any matching credentials to log in with.
Two factor authentication or multi-factor authentication (also referred to as 2FA or MFA) works on the principle of “something you know” (password, PIN etc) and “something you have” (mobile phone, email address, phone number etc). All password managers allow you to add 2FA to your account. This means that even if an attacker gets hold of your username AND password, they also need to have your mobile phone to gain access to your account.
If you use 2FA, be aware where your phone is. 2FA codes sent via SMS will often display even on a locked phone. Also, make sure it’s encrypted, and password protected so that, if you walk away from it, it locks itself.
Most password managers allow you to restrict which countries you’re allowed to log in from. If you split your time between, say, the UK and France, you can set those as the only two locations permitted to attempt a login. This further restricts the surface an attacker can use.
Single point of failure?
If I move everything into a password manager, isn’t that now a single point of failure? If an attacker gets in, haven’t I lost everything? Well, yes and no.
Yes, if they got in, they’d have access to everything. However, for companies that make these, they are their sole focus. We put our cash in a bank, rather than distributing it throughout the house, because we trust that they are completely committed to keeping it safe. Secondly, you should also have 2FA set up on every website that allows it. This acts as a second line of defence.
What should I do now to be much safer online?
Use your favourite search engine to search for “password managers”.