Technology Advisor Blog

The Psychology of Passwords - Are your Passwords Secure?

Posted by Ann Westerheim on 6/26/20 11:49 AM

Password Psychology

We all know what we "should" do about passwords, but reality is quite a bit different as a recent report by LogMeIn shows, in collaboration with the National Cybersecurity Alliance.  At Ekaru we're on a mission to help Small Businesses stay strong in the face of cyber threats.  The more you know about the threats you face, the better your chances of keeping your data safe an your name out of the headlines.

As more and more people work and socialize exclusively online, protecting your digital identity is more important than ever. Most people believe they are knowledgeable about the risks of poor password security; however, they're not using that knowledge to protect themselves from cyber threats.  Good password hygiene is one of the most important steps you can take to secure your data.  

Gerald Beuchalt of LogMeIn and Dan Eliot of the National Cybersecurity Alliance put together a great program this week on the Psychology of Passwords and here are some of the key take away's.  Many in our community will recognize Dan from our in-person lunch and learn event several months ago.

  • 91% of computer users know that using the same or variation of a password is a risk, but 66% do it anyway.
  • 54% of computer users try to keep track of passwords by memorizing them and its not working.  24% of them need to reset passwords monthly after forgetting.
  • The old advice of 8 characters for a strong password is out of date - the longer the better and eight is not enough.
  • 52% of computer users haven't changed their password in a year even after learning of a breach!
  • Don't re-use passwords.  Keep in mind that hackers can use "credential stuffing" to try to use your password at all the other sites you may use it.  Don't re-use passwords.  With automated tools, now starting to be powered by AI, this is a quick task!
  • Use MFA - Multi Factor Authentication - whenever available.  Yes, it can be an inconvenience, but you will drastically increase your security with this simple step.

One question we hear a lot came up during the presentation. Is it okay to store passwords on paper stored in a secure location?  It is possible to very safely store the paper, but it's important to consider Protection vs Availability.  When we see users doing this, typically they end up keeping the paper with them, making it a lot less secure.

Also, the typical 90-day forced password reset policy actually can make passwords less secure.  Why?  Users will fear forgetting their password and will quickly take on some other bad habits like writing them down, re-using passwords, or creating passwords that are too simple.  The current advice is to keep a password that's strong until you have reason to change it (like a publicized breach). 

What can you do?  Educate your team.  Talk about security during your staff meetings and make sure everyone is on board.  Help create a culture of security in your organization.  You can get fancier with a formal training program, but even just a conversation will help.   Using a password manager like LastPass helps solve a lot of problems around keeping passwords strong and secure, but daily behavior improvements can go a long way.

Contact us at 978-692-4200 if you'd like a demo of LastPass or want to learn more

Also, here's a link to the video, report, and infographic from the National Cybersecurity Alliance:   View the Video and Get the Report

Subscribe to the Ekaru Technology Advisor Blog for more SMB technology advice by entering your email in the sign up box on the upper right of this page.

Tags: small business, password, cybersecurity, work from home

A hacker has your password.  Now what?

Posted by Ann Westerheim on 1/17/19 11:25 AM

Hacker_PasswordThis week an astonishing 773,000,000 records were released in a monster breach.  Security researcher Troy Hunt first reported the data set which includes 772,904,991 unique email addresses and over 21 million unique passwords, all recently posted to a hacking forum.

Hunt reports that the data was posted on line for anyone to take and not even up for sale in the dark corners of the web.  In fact, not only is this the largest breach to become public, it’s second only to Yahoo’s breaches which affected 1 billion and 3 billion users, respectively. Fortunately, the stolen Yahoo data hasn’t surfaced, yet, but there's a good chance that if your information isn't out there yet, it will be soon.  

What can you do?

After your data appears in a hacker forum or somewhere on the Dark Web, there's no way to take it back.  For many, this is a wake up call to take better care of password safety.

  1.  Use STRONG passwords.  In this particular case, it doesn't matter how strong your password is, if its out there its out there, but using strong passwords is a general safety tip to help prevent many other types of cyber attacks.  
  2. Use UNIQUE passwords.  NEVER use the same password (or simple variation) for multiple sites or applications.  Your banking passwords should not be the same as your gym membership password.
  3. Change your passwords frequently.  When you hear about a major breach, this is a good reminder to change your passwords as it could be a long time before your credentials wind up for sale.  Think of it like changing batteries in your smoke detectors.  Use some calendar (daylight saving time?) to trigger the change.  Anything other than using the same password for years.
  4. Use a password manager.  Think about it.  If you need to use STRONG passwords, and UNIQUE passwords, that you change regularly, there is no way to remember these.  If just one employee in your organization cuts corners, this could put you and your organization at risk.
  5. Get Dark Web Monitoring to protect your business.  When breaches make the headlines, everyone takes notice, but this activity happens frequently, and your data can be for sale on the Dark Web long before anyone publicly announces a breach.  Think of Dark Web Monitoring as an early warning system.
  6. Use Two Factor Authentication wherever possible.  If your password is compromised, no one can get access to your stuff without the second authentication.    Many users see this as an inconvenience, but it's a critically important safety measure to safeguard your information.
  7. Educate your employees on cybersecurity.  One weak link and your business may be at risk.  Too many users still think "it won't happen to me", and too many SMBs think they're under the radar because they're too small.  

For more information on the latest breach, check out a comprehensive summary in  Wired Magazine.  

At Ekaru, we're on a mission to provide enterprise-call service to small businesses.  Please give us a call if you have any questions, or to assess your current security situation.  We're here to help!

 

 

 

Tags: password, cybersecurity, Dark Web

What's my email password?

Posted by Ann Westerheim on 12/13/16 2:57 PM

Cybersecurity is a hot topic these days.  We need "strong" passwords, we're not supposed to use the same pasword for multiple applications, and we need to change passwords on a regular basis.  It's hard to remember all the passwords, and especially hard when you don't even know a password exists!   Your email has a password, but its likely you don't remember it because you don't usually need it on a regular basis.

Who can survive without email?  It’s an essential tool for business!

You’re busy and on the go and probably reading email on your smart phone, laptop, iPad, office computer, and webmail. 

There’s a password for your email, but after your device is programmed the first time, you don’t have to enter it again.  What a pain it would be to have to enter your password each time you read email on your phone, or any of your other devices …over and over again!

The flip side of this is “out of sight – out of mind”:  most people don’t remember what their password is.  Even if you use webmail where you do have to submit a password each time you access mail, your browser is probably “remembering it for you”.

All is well until you get a new phone, computer, iPad, laptop, or any other device. When you set up your new phone, you’ll need your password again.  So you call tech support and ask “What’s my email password?”   The problem is that, for security reasons, we can’t see your password and we don’t know what it is!   We can re-set it for you, which means we assign you a new password.  Now you can quickly get email set up on your phone and you’re back in action!

Later in the day, you may try to access email from your laptop, and you may be very frustrated to see that your email is broken – “Why do I have so many problems with my email!?”

Actually, Microsoft Outlook will just prompt you for your new password.   Enter that password and you’re good to go! Your new password will need to be entered to all your devices, and then you’ll be all set.  

If you want to avoice the hassles of a password reset (which isn't really that bad when you understand why, and how it works), there's no simple solution other memorizing the password (just like school!) or storing your password in a secure location.

Tags: eMail, password

Is your password 123456? Time to increase your security!

Posted by Ann Westerheim on 2/17/11 9:00 AM

Password KeyboardWell over a year ago there was a major security breach at a site called RockYou.com.   One of the interesting outcomes is that the breach offered the opportunity to analyze password behaviors since over 32 million passwords were revealed.

Here is the top 20 list and if you see any of your passwords on this list, its a good time to think about using stronger passwords!

  1. 123456
  2. 12345
  3. 123456789
  4. Password
  5. iloveyou
  6. princess
  7. rockyou
  8. 1234567
  9. 12345678
  10. abc123
  11. Nicole
  12. Daniel
  13. babygirl
  14. monkey
  15. Jessica
  16. Lovely
  17. michael
  18. Asley
  19. 654321
  20. Qwerty

Strong passwords should include uppercase and lowercase letters, numbers, and symbols.  Your computer security starts with the strength of your passwords, so don't use something that's easy to guess or easy to automatically generate (like a keyboard string or word in the dictionary).

Tags: Security, password, 123456, popular passwords

Subscribe by Email

    Most Popular Posts

    Browse by Tag

    See all tags...

    Connect With Us

    Older Blog Posts

    For older Ekaru blog posts, go to ekaru.blogspot.com.