Unlocking the Secrets of Strong Passwords: Your Key to Online Safety! #CSAM

• by Olivia Lawlor-Blackburn
• General

We still rely heavily on passwords in all aspects of our lives. The predicted death of the password was more than fifteen years ago and here we are – still securing our information crown jewels the same way. While other methodologies exist, they are not widespread and as this is cyber security awareness month, we wanted to discuss managing your passwords and helping staff to keep security in mind when using them.

Here are some quick password tips, including guidance from the National Cyber Security Centre (NCSC):

Use Strong Passwords: Create passwords that are at least 12 characters long. Include a mix of uppercase and lowercase letters, numbers, and special characters. So, you should avoid using easily guessable information, such as names, birthdays, or common words. Steer clear of easily guessable passwords, such as “password,” “123456,” or common words found in dictionaries. We will be producing a Password Rogues Gallery, so you had better hope that none of yours appear in it!

Unique Passwords for Each Account: Avoid using the same password across multiple accounts. If one account is compromised, it will not affect others. Never share passwords between work and home platforms or devices. You may be inadvertently creating risk for your employer and colleagues or conversely putting your own personal information at risk. Consider using a password manager to generate and store complex passwords securely. This should only be done with an approved provider with your employer’s agreement, for work passwords.

Beware of Phishing Attempts: Be cautious of phishing emails or messages that attempt to trick you into revealing your password. Do you talk to staff regularly about phishing emails and show them examples? Do you share information on the latest phishing and spear phishing (targeted phishing using specific text to appear genuine)? Do you have a reporting mechanism for people if they think they made an error and clicked on something suspicious? Do you support those people to ensure that people always report, regardless of any error judgment? Verify the legitimacy of the website before entering your password, especially if the request is unexpected.

Enable Two-Factor Authentication (2FA): We talked about MFA in last week’s blog but it’s important enough to raise again. Whenever possible, enable 2FA for an additional layer of security. 2FA typically involves receiving a code on your mobile device or using a biometric method in addition to your password.

Check for Breached Passwords: Regularly check if your passwords have been compromised in data breaches and update them accordingly. There is a great resource called haveIbeenpwned.com, which will help you with this. Remember that if a password has been revealed you need to change it everywhere you may have used it, so now you can see why it is important to use discrete password creation!

Secure Password Recovery Options: Ensure that password recovery options, such as email or security questions, are secured to prevent unauthorised access. By following these tips, users can significantly enhance the security of their online accounts and protect sensitive information from unauthorised access.

Changing passwords: NCSC shifted its guidance on password changes. Traditionally, it was a common recommendation to change passwords regularly, typically every few months. However, the NCSC and many other cybersecurity experts have revised their stance on this. This is because people found it hard to remember secure long passwords and changing them meant they often behaved insecurely (writing them down, etc) in order to comply with mandatory password change regimes. The current trend in cybersecurity best practices suggests that frequent password changes might not be as effective as once thought. The NCSC, in line with this trend, has advocated for a more nuanced approach.

Change Passwords After Security Incidents: Instead of changing passwords on a predefined schedule, it’s recommended to change them if there is a known security incident or if you suspect that your password may have been compromised.

It’s important to note that cybersecurity recommendations can evolve, and it’s advisable to check the latest guidance from the NCSC or other relevant authorities for the most up-to-date information. Always consider the specific context and requirements of the systems and accounts you are securing. Think about human behaviour and what people are likely to do and make it easy for them to do the right thing…because they know and understand what the right thing is and why it matters.