As the year gets off to a flying start, now is the time to work on and tidy up our passwords. Like all systems, good password hygiene can help to ensure you remain secure and avoid costly exploits.
Instead of waiting for an incident to occur, we want to be one step in front and prevent it from ever occurring in the first place. Our article on the Importance of Secure Passwords covers in detail how and why to use secure passwords, but this mostly only occurs in scenarios where you’ve started from scratch. We also need to retrospectively update and strengthen old passwords and old decisions we made a decade or more ago.
Here’s our top tips to do your bit of password hygiene.
1: Use Unique Passwords
During 2023, we saw a significant number of websites compromised where password re-use was the cause.
2: Use a Password Manager
As passwords grow in both complexity and length, trying to remember them all is impossible. Thankfully, modern password managers make this easy and integrate neatly with your desktop, laptop, browser and even your mobile phone.
A good password manager means you need to just remember one password to authenticate, so you can make it a strong passphrase and know the rest of the passwords will be secure as well.
As mentioned in our Secure Passwords guide, our two picks are:
3: Increase your minimum password strength
With compute power rapidly increasing, the time to crack passwords is rapidly decreasing. Your secure password 10 years ago of 8 characters used to take about 90 years worth of compute power to brute force (keep trying until it’s found) on average. On modern systems, this is now 8 hours or less.
We recommend increasing this to at least 10 characters (with a mix of upper / lower case and symbols), which takes 5 years to brute force. Even better, a move to 12 characters pushes this out to 34,000 years and will ensure it remains secure for at least the foreseeable future as compute power continues to increase.
4: Update old passwords
Most systems won’t force password changes as password policies change, as it causes too much disruption to their customers. While we don’t recommend updating all passwords constantly (it’s only required if you reused passwords), older ones you first started using may be short in length (8 characters or fewer) or set at a time when you reused passwords (we all did at some point!).
Some password managers can even check your passwords against known lists of exposed passwords, meaning these are critical to update.
These services work by comparing a partial hash of your password, so they don’t directly expose your password at all. If you don’t have a password manager with all your passwords in yet or want another check, we also recommend haveibeenpwned.com.
This is an email based comparison, so it will check your email address and let you know what and where your account may have been exposed.
5: Use Multi-Factor Authentication
Especially for key services such as your password manager and critical logins, Multi-Factor Authentication (MFA) is a must. While it may seem like a bit of an inconvenience at first, many systems will remember the device you use for a set number of days to reduce this inconvenience.
MFA also means that the chances of your password being used without your knowledge where some external site or system has been compromised. While it’s not completely infallible to phishing (where there’s a fake form designed to steal your username and password), it does significantly reduce the risk as most MFA login methods are very time sensitive.
6: Removing old password managers
Many people have used more than one password manager in their lifetime, especially if you’re using the inbuilt manager within your browser as well. These can be easily forgotten and like the LastPass hack recently, a copy of your encrypted data can still be stolen and leave you vulnerable. If you haven’t rotated all your passwords since changing systems, we highly recommend reviewing older systems and deleting your account.
Conclusion
Hopefully, by following these simple steps you can reduce your risk to a security incident. Of course passwords are only one part of this puzzle but as we’ve seen in recent security exploits it’s now a very critical one.
Any steps to avoid having to deal with the time, cost and reputation impacts associated with a security exploit should be taken at every available opportunity. With the average cost of a cyber security incident now in the millions for Australian businesses along with 200+ days of lost productivity, simply doing nothing to increase your security and protect your systems could prove to be very costly.