It’s the middle of the night. You’re sound asleep. Suddenly, your smartphone comes alive with a notification. With sleepy eyes, you groggily read the notification. It says “An unrecognized device recently attempted to access your account. Let us know if it was you.” You lay your phone down and drift back to sleep. Next day, you wake up to a beautiful morning, The sun’s rays creating a beautiful effect as it seeps through your window curtains. Amazed, your first thought was “this would be great for social media.” You take a couple of photos using your smartphone and open Instagram. The app asks you to log-in. Perplexed, you attempt to log-in, but your password is not working. You click on “Forgot Password” and wait but nothing happens. Worry starts to creep in. You try your other social media apps and you’re logged out on all of them. You start to panic. You can’t access your email either. You grab your laptop and try to log-in for online banking. It doesn’t let you. You’re unable to log-in to most of your online accounts. You frantically try to figure out what’s going on when your phone notifies you. A huge amount has just been withdrawn from your bank account. You slump to the floor, hoping everything was just a dream. Unfortunately, it’s not.
A lot of people have suffered this nightmare since the dawn of the digital age. It used to be considered harmless, someone logging in to another person’s AIM or YM because that person guessed the password to be 1234NAME. As the digital world evolved, more people started going digital for a lot of reasons. Suddenly, the digital world became a target for people with malicious intent. Hackers were able to breach accounts left and right. The common access tool: passwords.
Passwords are one of the most important elements of cybersecurity. They are the primary means of authentication for most online accounts, and they play a critical role in protecting our personal and professional information from unauthorized access. However, despite their importance, many people still use weak or easily guessable passwords, which can put their accounts and information at risk. In this blog, we will discuss some password security best practices that can help you to protect your accounts and information.
#1 Use Strong and Unique Passwords
The first and most important password security best practice is to use strong and unique passwords. A strong password is one that is long, complex, and includes a mix of uppercase and lowercase letters, numbers, and special characters. A unique password is one that is not used for any other accounts. This helps to prevent attackers from gaining access to multiple accounts if they can guess or obtain one password.
The reason why this is on top of the list is because this remains to be frequently overlooked by people. There are easier ways to achieve this if you don’t want to come up with your own password. Google, for example, has a feature called “Suggest a strong password” when you create an account. This saves you the time and effort of coming up with your own password. Remember to copy and save the password in case you forget.
Another method of creating strong passwords is through the use of Password Generators. A password generator is a tool that creates unique passwords, varying from complex combinations of characters to strong yet pronounceable blends. You can choose from a plethora of free and paid password generators today. As a guide, consider these points to narrow down your choices:
- It can adapt to the password requirements of various sites
- It is backed with a secure and robust technology
- It goes well with a password manager for ease of use and management of passwords. Better if it comes as a bundle
- Subscription fees are negligible
Here are the top three Password Managers for 2023 to get you started:
#2 Use a Password Manager
Using a password manager can help you to create and store strong and unique passwords for all of your accounts. A password manager is a tool that generates and stores complex passwords for each of your accounts, so you do not have to remember them all. It also helps to protect your passwords by encrypting them and storing them securely. With a password manager, you only need to remember one master password to access all your other passwords.
A Password Manager is composed of three main components:
- A digital vault to store your passwords
- A state-of-the art encryption system to protect your passwords
- A master password to access your digital vault
A robust and trusted password manager uses either AES-256 or XChaCha20 encryption, ensuring that your passwords are encrypted and quite difficult to hack. It also uses Zero-knowledge encryption, meaning that data is secured with a unique user key, which the app developer does not know. With zero-knowledge encryption, no one but the user has access.
A word of caution, password managers require one master password, and extra care is still required to protect this. You can use two-factor authentication to help secure your master password. With these said, NordPass, Keeper, and Roboform are among the top password managers in 2023.
#3 Enable Two-Factor Authentication
Two-factor authentication (2FA) is an additional layer of security that requires a second form of authentication in addition to a password. This can include a fingerprint scan, a security token, or a one-time code sent to your phone or email. Enabling 2FA can significantly increase the security of your accounts, as it makes it much more difficult for attackers to gain unauthorized access.
Nowadays, 2FA is employed by a lot of companies. If you have used online cash apps like Paymaya or GCash, you probably experienced being asked to login to the app, then asked again to enter a One-Time Pin (OTP) to complete your transactions. Ever accessed your Gmail or Youtube account from a different device and got prompted to open Gmail or Youtube from a specific device? This is another example of two-factor authentication.
Perhaps the most significant rise in the use of 2FA was due to the Covid-19 pandemic. Employees who worked from home were asked to install apps, such as those from Microsoft and Google, to add another layer of authentication before an employee can access the corporate network.
People who have worked at home have been exposed to the use of 2FA or even MFA (Multi-factor Authentication) because their IT department mandated them to do so. However, people forget that one of the highest numbers of cyber-attacks happen on social media accounts, and there are still a large number of people who have not enabled additional security on their social media apps. Since you have reached this far, check your Facebook app if you have one. Go to Menu – Setting and Privacy – then under Meta Accounts Center, tap on See More in Accounts Center. Tap on Password and Security then Two-Factor Authentication. Choose your account and enter your password. If your 2FA is ON, then kudos! If it is OFF, we recommend enabling it now. We also recommend doing the same thing for all your social media accounts.
#4 Change Passwords Regularly
It is also important to change your passwords regularly, especially for high-risk accounts such as email and banking. This helps to prevent attackers from using compromised passwords to gain long-term access to your accounts. However, it is important to note that simply changing your password is not enough – you should also ensure that the new password is strong and unique.
We recommend the following intervals when to change your passwords:
Monthly – this is the current practice that a lot of businesses have, especially those that have adopted the hybrid work setup. We recommend this for critical items like work, financials, and personal files that are saved in online data storage like Google Drive and Dropbox.
Quarterly – we recommend this interval for your social accounts and non-work emails. Essentially, anything that you consider non-critical. Why not every 6 months or yearly? Hacking continuously evolves, and technology allows room for things to happen faster. Procrastinating allows hackers more time to zero in on your credentials, either by social engineering or brute force attacks, and we definitely do not want that to happen.
You may find it tedious to keep changing passwords with these intervals. Your company’s security team can enforce it from the enterprise side, but as an individual, you can use password generators and managers to help you with password creation and management. We also recommend having a personal alarm that reminds you when it’s time to change your password.
#5 Beware of Phishing Scams
Phishing scams are a common tactic used by attackers to trick people into giving up their passwords and other sensitive information. These scams typically involve a fake email or website that appears to be legitimate but is actually designed to steal your information. To protect yourself from phishing scams, always be wary of unsolicited emails or messages, and never click on links or download attachments from unknown sources.
Possibly the best recommendation that we can give to be constantly aware of potential risks is to implement a personal sense of “healthy paranoia”, emphasis on healthy. This will help you by:
- Always being wary of unusual messages or links and develop your ability to discern potential risks
- Always verifying sources of emails and links down to every bit of detail: spelling, dashes, email format, and sender
- Always being mindful to not click on every link and not to reply to every email or text message
#6 Avoid Sharing Passwords
Finally, it is important to avoid sharing passwords with anyone, even close friends, or family members. Sharing passwords can significantly increase the risk of unauthorized access and can also make it difficult to determine who is responsible for any security breaches. If you need to share access to an account, consider using a password manager that allows you to share access without sharing passwords.
Social engineering is one of the best ways to gather information that may directly or indirectly lead to a person’s password. In 2015, Jimmy Kimmel had a segment focused on how easy it is to obtain a person’s password. Fast forward to 2023, and social engineering continues to thrive. Here are some tips to help you keep your password safe:
- Don’t share your password – this is the best recommendation we can give. Social engineering exploits a person’s vulnerability to trust. There are instances when this is unavoidable, like a joint account with a partner, and this is understandable. For everything else, keep your password to yourself
- Keep Social Media social – people believe that social media is their gateway to the world. A lot of people do not understand that it’s also a gateway to them, allowing the world insight to their personal lives. A lot of us have posted our birthdays, hobbies, passions, romance, and personal details that we think are invaluable. Remember that anything you post can lead to your password, so be mindful of what you post and use passwords that are far from any of your social media posts.
- Enable Two Factor Authentication – this gives you an extra layer of security should anyone guess your password and attempt to access your account
- Use Incognito/Private Browsers – when connecting to public hotspots, it is best to use Incognito or Private mode when browsing. Avoid accessing your bank accounts, work, or private files when connected to public Wi-fi. If you really have to, we recommend using a Virtual Private Network (VPN) to establish a private connection and protect you from digital snoops.
In conclusion, password security is a critical component of cybersecurity. By following these best practices, you can help to protect your accounts and information from unauthorized access. Use strong and unique passwords, use a password manager, enable two-factor authentication, change passwords regularly, beware of phishing scams, and avoid sharing passwords. By taking these steps, you can significantly increase the security of your accounts and information.
About IPV Network
Since 2016, IPV Network has been a trusted partner of leading enterprises in the Philippines. It brings the best-of-breed cybersecurity solutions. IPV network helps businesses identify, protect, detect, respond, and recover from cyber threats. Email us at [email protected] or call (02) 8564 0626 to get your FREE cybersecurity posture assessment!