Skip to content

Why improving password hygiene should be your new year’s resolution.

2021 is now in full swing, and while in many ways, things currently feel pretty similar to the dark days of 2020, there is opportunity to look to the future and identify areas of improvement. As always, the new year represents a time of change, a time to put bad habits in the bin or to learn new skills.

Traditionally these sorts of resolutions have revolved around improving health and quitting things that do us no good. But this year, rather than trying to stop smoking, or becoming a vegan, why not clean up some bad password hygiene? Why not make one change that may not cut inches from the waist, but might improve your cyber security strength?

2020 has shown that cyber-crime is a growing threat in the world, and one of the easiest and simplest changes everyone can make to improve their security is to enhance their passwords.

Did you know 59% of people use the same password for everything? And out of these passwords, you’d be surprised at how many of them are commonly used.

A government investigation, carried out by the National Cyber Security Centre, found the most hacked passwords globally, and the results are, well, predictable.

Believe it or not, the most commonly hacked password is,123456, with 23.2 million cases. In second place, 123456789, with 7.7 million cases. Other honourable mentions include ‘Liverpool’, ‘Chelsea’, ‘Batman’, ‘Blink182’, and of course, ‘password’ – yes, there are 3.6 million cases where the password was ‘password.’

Something as important as personal data, shouldn’t be protected by something as easy to guess as a football team, first name, or the word ‘password.’

Why? Because 90% of passwords can be hacked in less than six hours. 

And once cracked, a hacker can access emails, personal data, contacts, social media, payment methods, and addresses – of course, if the same password is used for everything, then the impact becomes greater as the hacker can access all these examples simultaneously.

In a work environment, this is especially risky due to the types of information that could potentially be stored on a work device. Employees should have strong passwords that only they know. Research has shown that 18% of employees share their passwords amongst each other to collaborate or, in some cases, because this was ‘company policy.’ These factors make for very bad password hygiene in the workplace.

So what is good password hygiene?

Outdated methods would have us believe that a 14-character password, with a small mixture of letters and numbers, is strong enough to secure your accounts. So, something like Walesrugby1999 would be good enough. In the modern world, this quite clearly isn’t good enough, especially in a workplace environment where these passwords protect sensitive data.

A good password can be explained by breaking passwords down to their fundamentals and detailing how exactly their strength is measured.

The randomness of data is called Entropy, which is measured in Bits. This sounds complicated but it’s relatively easy to understand. Here’s an example – a coin toss, which has two outcomes to guess, heads or tails, could be described as having 1 Bit. Winning the lottery, which unfortunately is around a 1/286 million chance, can be said to be 28 Bits. As you can see, the harder an outcome is to guess, the more Bits involved: essentially Bits equal strength.

In modern computing, 128 Bits is the minimum strength for encryption algorithms.

How does this apply to password strength?

A password’s strength can be measured by its length multiplied by the entropy per symbol – the ‘randomness.’ For example, a number would have an entropy of about 3.322, so you would need 39 random numbers to achieve 128 Bit entropy.

Unless you happen to be Rain Man, you probably won’t be able to remember a sequence of 39 numbers, so adding a mixture of random symbols and letters can help towards shortening the password while also maintaining strong entropy. Of course, 128 Bits isn’t necessary for everything but should be the standard for sensitive types of information.

But again, to reiterate, these letters should also be random and not just be your favourite football team.

Password Advice for individuals

Here are some simple actions you can take to protect yourself and your data, and your business from hackers and improve your password hygiene in 2021:

  • ‘Randomness.’ As mentioned, the entropy of each symbol increases the strength of a password. The more random your password is, the harder it is to crack.
  • A mixture of characters. So, symbols, numbers, letters; and try not to do these in any orders.
  • A long password, in fact, the longer the better.
  • Don’t use common phrases or words, especially ones that are personal to you. That means no birthdays, no names, and no pets.
  • Keep passwords to yourself! No sharing passwords and try not to store passwords in plain text anywhere, especially not next to your computer.
  • Use a password manager, no one expects you to remember all of your passwords when they are that ‘complex’. Devices often now encourage you to use a complicated password generator, so you don’t have to come up with them yourself, but thankfully, there will be a place on your device which stores them securely for you to refer back to.

To summarise, a password should be long, random, use a mixture of symbols, and should not use any actual word or phrase, especially one that is important to you: and don’t forget, you should use a different password for everything!

Password Advice for Organisations

The best advice for organisations when considering network security, is to assume the threat is already inside. Embrace a zero-trust approach and ensure that, any user or device that wants to connect to a resource must re-establish trust before access is granted.

The approach will combat the increased threat from shifts in modern day working such as further cloud adoption, mobile application usage and remote working, all of which can be contributors to credential theft, feeding the rise in privilege access as an attack vector.

After all, 94% of you have experienced this attack according to Identity Defined Security Alliance (IDSA), 99% of these would have been highly preventable, with a more robust security posture in place.

So with that, let’s hope for a good 2021. Some of you may run that marathon and some of you might give up meat, but let’s all take it upon ourselves to improve our cyber-security and password hygiene.

SIGN UP FOR ‘NCL INSIGHTS’

Your trusted source for innovation, technology insights, and market trend analysis.

Your Questions Answered – IT Strategy for 2021

Your Questions Answered – IT Strategy for 2021

The World is Changing…   Spotify has recently joined the…

Passport control at airport

How a zero-trust approach to cyber-security, complimented with AI machine-learning, is essential in protecting our businesses from modern cyber-crime.

Remote working may be here to stay, and businesses…

Floating artificial inteligence

AI & Machine Learning – The virtual back-up team in your company’s cyber defences

AI & Machine learning systems are essential in the…

SPEAK WITH OUR EXPERTS TODAY

If you’d like to book a free consultation with one of our experts, get in touch today.