Last week it was reported that more than 700 million email addresses, and a number of passwords, have been leaked in what is already being referred to as one of the largest spambot dumps the world has ever seen.
At present it is believed the data dump originated via a spambot called Onliner however this is yet to be verified. People can check if their email address has been affected by going to www.haveibeenpwned.com
Security experts are advising those affected to change their passwords immediately to reduce the risk of further penetration. This recommendation begs the question – what makes a secure password?
Aura Information Security’s general manager, Peter Bailey says, "While security experts have been talking to people about securing their passwords for years, it is still one of the easiest points of access for hackers to use. Too often passwords are written down, reused or are too easy to hack."
Passwords are the gateway to you and your companies’ private materials, but the importance of password security is often overlooked – which can lead to increased cyber security risk for businesses.
Here are six top tips on how to maximise your business’ password security from Aura Information Security’s Peter Bailey:
1. Use a password manager
A good password manager, which is essentially a vault that stores all your passwords in one place and is protected by a master password, will help to make the task setting strong, different passwords for multiple accounts far easier. These password managers rely on you setting a very strong master password, so Aura recommends using a “passphrase” as this master password – that is, a sequence of four or five words. These days, it’s length, not complexity, that makes a good password, so try to choose longer words that aren’t predictable or easy to guess. Fortunately, it will be the last password you have to remember, as most password managers include password generators to create strong (long and complex) passwords for you, so you’ll never have to look at or type in another password again. There are lots of options out there, ranging from online solutions such as 1Password or LastPass, to the more technical solutions such as KeePass. Most solutions provide mobile apps as well, so you can manage your passwords on your iOS or android devices too.
2. Use two-factor authentication where it is available
Where two-factor authentication is offered (even Facebook offers it days), make use of it. Two-factor authentication combines username and password (factor one) with a second level of verification, like a TXT code to your mobile or a 2FA code generator such as Google Authenticator (factor two).
3. Don’t reuse passwords
If a hacker does manage to access your business password, having the same password for everything could spell disaster. The same goes for employee passwords, sharing passwords between their personal and business accounts increases the chances that the password could be compromised. It is best practise to have multiple passwords, to minimise the potential impact on your business should one password be discovered.
4. Never disclose or share your credentials
Cyber criminals are getting more and more sophisticated, but in our experience the same types of tricks that have been used for years by hackers are still the most effective – and that is social engineering. In other words, tricking an employee into clicking on an infected link, revealing a user name and password or paying an invoice that looks like it has come from a legitimate source. Perhaps our biggest piece of advice is that good security starts with staff education and effective security policies – and that includes never revealing your passwords to anyone, or including passwords in documentation (emails, work instructions, application user guide etc.).
5. Ensure your employees understand cyber security
Most security breaches can be attributed to employee error…or ignorance. Employees who use weak passwords or use the same password across personal and work accounts can prove to be the weak spot that hackers use to penetrate your business. To ensure your business fosters a culture of cybersecurity awareness, regular training and education is key. If you don’t have a CISO to help lead the charge, there are some great online tools and employee checklists available from sites such as ConnectSmart.govt.nz and cert.govt.nz. Aura also recently launched its e-learning tool, CyberWise, which is designed to provide businesses with the ability to train and educate staff whilst also identifying areas for improvement.
6. Make your password complex, but easy to remember
Previous advice has recommended combining upper and lower case letters, using number and symbols when creating your password. The inability for people to remember these complex passwords ends up putting individuals at higher risk of cyber hacks – by writing down your password in order to actually remember it, you’re opening yourself up to more threat. Instead, think of an easy to remember phrase or word combination. Lyrics of a song, a short quote from a movie or book, or even a dinner dish are good options to make your password complex enough to deter hackers, but still easy to remember.