Passwords are the gateway to our digital lives.
As we spend more time online, it is very important that we take care of our cybersecurity and maintain proper password hygiene.
'123456' or 'password' or 'password123' are not secure.
In fact they are a hacker's dream, and yet they were top of a list of most used passwords in 2021, according to a survey in 50 countries conducted by NordPass.
We asked 3 cybersecurity experts about how best to manage passwords and keep them safe.
Is it ok to use the same password for all websites?
Dermot Williams, Managing Director, Threatscape
No, this is a really bad idea. You might think that a website is not all that important with nothing of much value to be protected.
The booking site for your local gym? A fan site for your favourite sports team? A free subscription to a newspaper? Surely there is nothing valuable to protect and you can let your guard down, and reuse the same password you use for other sites? But your credentials – your email address and password – are valuable and need to be protected.
If a hacker were to breach one website and get access to your credentials, they could then check if they allow them access other far more valuable web sites such as banks, online merchants, social media, crypto brokers or even your place of work. Attackers will target all of these and more because they know they may be able to steal money directly, or indirectly by means such as impersonation fraud or extortion.
And thanks to automated hacking tools, names and passwords stolen from one site can quickly be checked against thousands of other sites.
The millions your bank might be spending to keep their systems safe is wasted if someone can steal your password from another site with little or no security.
Do you recommend changing passwords from time to time?
Dermot Williams, Managing Director, Threatscape
Yes, definitely. You should "treat your password like a toothbrush" – choose a good one, never share it with anyone else, and change it regularly.
The downside to this of course is that it can be hard to keep track of passwords and if being forced to change regularly means you develop bad habits such as writing your password down and leaving it by your computer then changing regularly can do more harm than good. But there are "password managers" to help with that.
Should you pick your own password or accept the 'strong' password recommended by a website?
Richard Ford, Group Technical Director, Integrity360
Typically, a website won't provide or recommend a password, and in fact this is likely to be your device or browser that is recommending a 'strong' password.
In this case, assuming it is your device and you have strong authentication enabled (e.g. fingerprint/face recognition) then I would recommend using this feature.
Passwords will be complex, unique, stored within a secure credentials store on the device, will be automatically filled in for you (assuming you can unlock access to the password with that strong authentication) and, most importantly, you don’t need to worry about remembering them.
Paul Donegan, Country Manager for Palo Alto Networks in Ireland
I think that this is a bit of both. You should pick a password that is something that you will remember but also has the characteristics that make it 'strong' as per the recommendation of the website you are trying to access.
The more information you have in an account the stronger the password should be.
How can you remember all your passwords?
Richard Ford, Group Technical Director, Integrity360
The simple answer is you don’t – and you shouldn’t try.
Whether it’s work or personal, we should be making use of secure password stores or, more commonly and most secure, move to passwordless.
Although passwordless sounds less secure, what we actually mean is making use of Multi-Factor Authenticator Apps such as Google Authenticator, Microsoft Authenticator etc. These apps allow you to validate your identity in real-time in a two way process, removes the need to remember passwords and prevents your credentials being misused without your knowledge.
Paul Donegan, Country Manager for Palo Alto Networks in Ireland
For personal use: Make it unique to you, a favourite saying or phrase, a number that you will remember.
You can also look at using an application like a password manager or even your preferred browser that can help manage this for you.
Is using a password secure enough or do you recommend multi-factor authentication?
Richard Ford, Group Technical Director, Integrity360
Passwords are not secure enough, and haven’t been for some time.
They are unavoidable in some instances, and in these instances we should use secure credentials stores and always avoid password re-use, but most websites and applications allow the use of multi-factor authentication (MFA).
MFA should be the first option when it comes to authentication and hopefully we’ll be living in a passwordless world soon enough.
Paul Donegan, Country Manager for Palo Alto Networks in Ireland
I would recommend that everyone uses multi-factor authentication especially for their personal email accounts and any applications that have PII.
I am a Mac user so I have Chrome for all corporate / work related websites / applications and Safari for all personal accounts. Where possible I will use Multi-Factor Authentication for accessing all my accounts.
Dermot Williams, Managing Director, Threatscape
Microsoft, Google and others also offer apps which you can install on your phone which will pop up and ask you to verify that it is really you trying to log in to a web site.
This makes it much harder for an attacker to beat the system – knowing your password alone . You need to make sure you keep your phone safe of course, and don’t install any questionable apps which might include malware designed to spy on your authentication app.
Best of all is to invest in a small "security token" offered by companies such as YubiKey; these are even harder for attackers to subvert. Many large companies adopted them during the pandemic to provide more secure authentication to people working from home since they couldn’t take the risk of a password alone being used to provide remote access. Many popular websites now support the use of these security tokens.
