Previously, I have written about protecting your website against hacking and I discussed the value of strong passwords. However, passwords protect more than websites and, with World Password Day coming up, it seemed appropriate to go into more details about protecting ourselves with our passwords.
I will look at the most common passwords used by people, all of which are very easy to crack but the most important part of the article is the section on the 10 ways you can protect yourself online. Passwords are so important for our online safety and security that it is worth taking a few minutes to see what you can do to stop hackers from breaking into your accounts and doing serious damage.
Since 2015, the first Thursday of May has been designated World Password Day. It's a chance to remind ourselves of the importance of good password practice, especially as 80% of all data breaches are the result of passwords being compromised (source).
Passwords are, at the moment at least, an essential part of our online life both in a work and in a personal context. They are like keys to a door, but instead, they give access to our email, our social media accounts, our bank accounts, our websites.
If you or your organisation has a website and you allow people to register with a password, those people are putting their trust in you, that you will look after that password and keep it safe. If the passwords from your website/shop are stolen, how will your customers/clients think about your business? If someone who registered, used the same password on your site that they use for their email or other service, the consequences for them may be serious.
Protecting passwords by following best practices can save you from annoyance as a minimum and serious business problems (See BBC article The ransomware scourge ruining lives) as a worst case. Making some small changes now can save a lot of time, money and heartache later.
Most Common Passwords
There are a number of lists of the most commonly used passwords but I have chosen this one from Cybernews dated April 2022. The information comes from lists of publicly leaked data.
As the author of the article says "One of the key elements of a strong password is its uniqueness." yet many people are unaware of the risks of weak passwords or are unwilling to use passwords that are harder to crack.
This is the list in order of the most common first.
The list doesn't vary much from year to year - the same culprits keep cropping up! You can read the top 10 passwords from 2014 in the article I wrote about this at the time.
It's common for people to use a year in their passwords - often the year they were born or the year their partner was born. A woman I know used to have an email password brian679. Yes, you've guessed it - Brian is the name of her partner and he was born in June 1979. That information is easy to get hold of so the password offered very poor security.
If you're concerned that a password that you use has been compromised, then you can check by going to haveibeenpwned. You enter your email address and the site will check if you have ever used that email with a password that is now in the public domain. Large password hacks are not uncommon and this site monitors them.
Protect Yourself Online
So, being aware of the risks, how can you best protect yourself online. Here are 10 ways.
Firstly, always use strong passwords. Strong passwords have at least 12 characters, are a mixture of uppercase and lowercase letters, numbers and special characters like $, >, * etc. Don't use words found in dictionaries or any personal information. Yes, I understand, these passwords are hard (if not impossible to memorise) so...
Use a password manager. A password manager is software that stores all your passwords securely, however complex they are. All you then have to do is remember the password to your password manager.
You may be concerned that the password manager software itself could be breached, leading to the disclosure of all your passwords. However, these companies store your passwords using advanced encryption so, even if they were hacked, it would take a long time for hackers to crack the passwords. This would give you plenty of opportunity to change your passwords before they were ever available to the hackers.
The most popular password managers are:
I've been using LastPass for years now and it works well.
Keep passwords safe - don't share them with others or give them out to anyone, whoever they say they may be. Watch out for phishing attacks where you may receive an email that looks genuine but isn't, or are asked to log into a service (e.g. Microsoft, Google etc) but the web address isn't quite right. These are specifically designed to trick you into revealing your password.
Don't reuse passwords. Each service you log into should have a unique password. This limits your exposure in case one password is hacked. If you use the same password for everything and that is compromised, well, the consequences are going to be much more serious.
This poll by Google suggests that 65% of people reuse passwords. Are you one of that number?
Make sure your website has a SSL security certificate (so it's https://) so hackers can't 'see' the data that's being sent from your device (like your login details) to the server. Also make sure the sites you use are https:// as well, especially if you're going to send any data.
If you ever work in public spaces, watch out for people observing you before you enter a password.
Make sure employees working from home are set up securely, especially if they are using their own devices. Raise awareness in your team about security issues
Audit passwords in your company. This can be done in a way that does not reveal passwords but checks that they conform to a set of rules. Delete accounts of ex-employees/contractors etc.
Use 2 Factor Authentication (2FA) wherever possible. It's a few seconds of inconvenience every time you log in but it makes it much more difficult for hackers to gain access to your accounts. This article from Which? explains what 2FA is and the benefits it provides.
Log out of accounts and out of devices when you've finished using them so no one else can access your information or change your password without you knowing.
If you want to protect your personal and work accounts, install a password manager on your devices and then you can start using complex passwords without having to worry about remembering them.
Many people are still unaware of the risks of weak passwords or the consequences that might occur if they are hacked. You can help overcome this by raising awareness both for yourself and your organisation.
Understand the risks and guard against them. Passwords are often a weak link in information security because they rely on people doing the right thing. Will you take action to protect your accounts and those of people who rely on you to do so?
- Article in Guardian 2022 - Not using a password manager? Here’s why you should be…
- 10 Password Security Statistics That You Need to See Now
- TeamPassword blog post
- Ten Password Mistakes That Could Get Your WordPress Site Hacked
- Common Ways Attackers Are Stealing Credentials
- How to create secure passwords for your website