passwords
News & Events

Staying safe from cybercrime – Passwords: a guide for non-technical users

In the first in our new series on ‘staying safe from cybercrime’, we will be looking at the importance of having secure passwords and how best to achieve them.

Password protection is a vital defence in the fight against cybercrime. It’s the first line of protection for many aspects of our lives and is only as strong as its complexity and uniqueness. We use passwords all the time to carry out simple tasks, such as sending emails, or making online purchases. Every aspect of our lives is affected by passwords – from working and banking, to buying and communicating.

In the past, one of the recommended approaches to staying safe and secure, was to change your password on a regular basis. However, IT experts have identified that enforced regular password changes can actually reduce security rather than improve it. 

Importance of multifactor authentication

When you sign into your online accounts, you’re proving to the service that you are who you say you are. Traditionally that’s been done with a username and a password. Unfortunately, this really isn’t very secure. Usernames are often easy to discover – in all likelihood it’ll be your name or your email address, and since we all require so many passwords these days, there is a tendency for people to use simple ones, or use the same password across many different sites.

That’s why almost all online services, particularly banks, social media, shopping and Microsoft 365, have added additional security to your accounts. It is often referred to as ‘two-step verification’ or ‘multifactor authentication’, but whatever it is called, the principle is that when you sign into the account for the first time on a new device or app (like a web browser), you need more than just the username and password. You need a second verification method to prove who you are. This can mean that passwords are linked to individual remote devices – mobile phones for example. Multifactor authentication (MFA), is rapidly becoming one of the most used – and recommended – systems, as it links to an authenticator app, which can then provide you with a unique code.

Importance of complexity and uniqueness

A good password should be unique to you – as well as each site, or each service where it is applied. Something quirky, meaningful but obscure – the more obscure the better, but not to the point of being unable to remember over time. It should include uppercase and lowercase letters and at least one symbol, such as ! or &. The National Cyber Security Centre recommend you use three random words to create your password. These could literally be anything – cardiganSnai!m00n for example.

Keep it safe

With so many complex and unique passwords to remember, a dedicated password vault (password manager or password locker) can keep them safe. A password vault is an encrypted digital vault that stores login credentials, documents, images and other sensitive information. To access a password vault, you need to authenticate your identity by entering a master password or by using biometrics. These should not be mistaken with browser-based password vaults, which although use encryption, are still vulnerable to being compromised.

One of the biggest benefits of using a dedicated password vault is that there is only one password – the master password – to remember. As long as you can commit that one to memory, all your other passwords can be kept safely, without you having to memorise them. You can access your vault from any device or browser, and you can also add additional security to your vault by securing it with its own MFA. And, even if you don’t, the encryption standards have been designed to be robust, with all data encrypted and decrypted locally on your device.

The future of authentication

With the multitude of passwords required in our daily lives, even with a password vault this can become cumbersome. There are already alternatives to passwords being used, and some combination of these could be the future of authentication. Passkeys, hardware-based MFA and biometrics – and even behavioural biometrics will all have their part of play in the future.

Passkeys are an authentication method for websites and apps. They are sets of two cryptographic keys: a public key that’s registered with the online service or app, and a private key that’s stored on a device, such as a smartphone or a computer. You then use your face, a fingerprint or a PIN to unlock your passkey and log in, in much the same way that you unlock your smartphone. The advantage of passkeys is that even if a hacker gets their hands on a website’s public key, your account is still locked because they don’t have access to the private key on your device.

Hardware-based MFA is another option when multifactor authentication is required. Also known as universal second factor (U2F) or physical security keys, hardware keys can either plug into a user’s system via USB or utilise a physical code generator that is unique to the user. Hardware-based MFA keys work in a similar way to other MFA methods in that, after a user presents their credentials upon login, they are then directed to input their additional factor. The user inputs their generated code or touches their USB hardware key, and is then granted access to the service.

Biometrics and behavioural biometrics might sound like the stuff of science fiction, but in reality, they are being used more frequently every day. Biometrics includes things like facial and fingerprint recognition, while behavioural biometrics will use the way you hold your phone or use the keys, to identify if it is actually you.

If you’d like guidance on any element of cyber security – or to find out more about passwords, online security and protection against cyberattack, then get in touch to talk to one of our experts today.