7 tips to better password security
A user's password is the first line of defence to prevent misuse or theft of client personal or confidential information. HELEN BROWN tells how you can maintain security of your password in seven steps.
1. You call that a strong password?
As short passwords can more easily be deciphered, consider these tips for your 2017 passwords:
• Base your password string on a pattern;
• Use family names, nicknames, pet names, celebrities or names of sporting identities;
• Pop culture references; and
• Concentrate letters, numerals, symbols and punctuation marks at the beginning or the end of the password.
• Make it longer than 14 characters;
• Use upper and lower case letters, numerals, punctuation marks.
• Create one password for each application
Randomness does not provide as much protection as one would think. An exerciseconducted by Ars Technica showed just how easy it was to crack even long passwords which appeared completely random, such as "qeadzcwrsfxv1331".
2. Think outside the square - passphrase
Instead of a password, think about creating a passphrase. You can use the first characters of a sentence you can easily remember and which is meaningful to you and something which is not known to others, for example:
"I go on holidays on 15 December". You can substitute numbers for letters in your password string and substitute symbols, e.g. @ for “a” and zero for o, making it more difficult to decipher. Read more online about building a strong password or using passphrases.
3. Two-factor authentication
Two-factor authentication (2FA) is an additional layer of protection beyond your password. It significantly decreases the risk of a hacker accessing your online accounts by combining your password (something you know) with a second factor, like your mobile phone (something you have). Many of the world’s largest websites have made 2FA readily available from the security settings of your online accounts, but it’s up to you to turn on this feature. See Securing the human for further information.
4. Safe password storage
Passwords should be committed to memory or retained in an encrypted file. They should never be stored in your browser or written down.
5. Using a password management system
Consideration should be given to using a password management system. A password manager helps users create complicated and lengthy passwords which are integrated into the user's browser. Instead of a user typing a different password into each site visited, the user only has to remember a single password. The browser will complete the user's usernames and passwords.
While the system is safer, it is not foolproof - providers themselves have been attacked by hackers. For example, LastPass password manager was hacked some time ago and data stolen. Remember to read the terms and conditions attaching to a password management system.
Password management systems cause your computer or device to encrypt passwords and other personal data before uploading a copy to the cloud. The cloud vendor does not have the key to unlock the data and the user will secure his or her password database by creating a user account name and a master password. Apps collect user IDs, passwords and other information from each website visit. The application completes and submits the user’s log-in credentials when the user returns to each website.
Some popular applications are:
• Symantec Norton Password Manager – Windows
• Kaspersky Password Manager – Windows
• LastPass – Android, iOS and PC
• eWallet – for Windows, Mac and Android devices
• KeePass – Windows, mobile device GNU Open Source Software Free that runs on Linux, Mac or Windows
The newest systems provide secure access to a user’s passwords in the cloud and provide users with a synchronized, local copy of their password database on every computer and device. A synchronised local copy provides the user with access to the user's passwords if the cloud is unavailable or the vendor ceases business.
6. Don't lock your computer and leave it unattended in a non-secure environment
A strong password on a locked computer has been shown to NOT prevent a recently released exploit tool installing a privacy-invading backdoor on a computer. The answer is to turn off your computer when not attended in a non-secure location.
7. Don't store your password in your browser
While convenient to store a user name and password in a browser, it is generally agreed that passwords are not stored in a browser in a way that the user remains protected if malware is being executed.
The future of passwords...
For more than a decade, futurists have predicted that passwords will be replaced altogether as the means for authenticating our identity on the Internet.
Credible alternatives are beginning to emerge. Voice and fingerprint ID are already here, although not widespread and Yahoo recently announced Yahoo Account Key, email without password. Users can use their mobile phone to login to Yahoo mail by tapping a "yes" button to login to email — no password required. Users can turn on the service in the Yahoo Mail smartphone app's settings.
About the author
Helen Brown practises in house in general commercial and intellectual property law and has been a member of the NSW Law Society Legal Technology Committee since 2012. She has a special interest in the challenges technology creates for areas such as privacy and information security and how lawyers can use technology in their legal practice to deliver more effective legal services.