Thank you to Louisa Vogelenzang , the cofounder of The Cybersecurity Café podcast for permitting me to reproduce an edited version of her original article on passwords.
Keys - to your house, your car, your garage, your bike, your workplace– we’ve all got them and most of us have experienced some level of anxiety when we misplace them or worse still, they are compromised.
If you have a bunch of keys nearby, have a look at how they are all quite unique - from house keys to car keys to bike locks, to the smart card you use to access your workplace, to the key to your filing cabinet at home (if you have one), where you might keep your passport.
Think about how you generally choose the level of security surrounding your keys, which can often be based on your risk appetite or on the risk appetite determined by others. Here are some examples;
· For my bike, I have chosen a bike lock that can't be cut (easily) by bolt cutters. It was more expensive than a standard bike lock but I have a high insurance excess and feel it is worth it to reduce the risk (and cost impact) of my bike being stolen.
· In the apartment block where I live, tenants and owners have to go to a trusted 3rd party, fill in a form and provide ID to get another key copied. None of the owners in the apartment block asked for this system, it was put in place by the builder.
· If you run an AirBnB you might leave the key in a lockbox with a pincode that you only share with your cleaner and your guests. You change this periodically to ensure that past guests can't potentially access the property in the future.
· If you are a small business, or a security conscious household, perhaps you have chosen an additional layer of security on top of your keys.
The best example I
can think of is when you require someone to have a key to the building AND they
must also know the code to turn off the alarm before proceeding into the
building. This allows you to authenticate the person AND to trigger an alert if
worst case, someone breaks into your house or business.
You will have also have thought about
the potential impact if any of your keys were lost or stolen and you have a
plan on how you might recover. For example you might give copies of your most
valuable keys (maybe your house key) to a trusted neighbour or family member,
or maybe you decide you are OK with storing a spare under the flowerpot in your
front garden. Maybe you know in your head that you would definitely change the
key to your front door and therefore locks, if you thought your house key had
fallen into the wrong hands (even if you had a spare).
Now think of your digital life.....your
email, your social media accounts, your online shopping accounts etc. The good
news is that some of these same principals you already know well very from
managing keys in your physical world, also apply to your online keys
(passwords) too.
Here are some of the skills you already have to help you manage your online keys (passwords):
1. You make sure that you don't have the same key for all of your physical valuables
As mentioned above, you have lots of different keys for different 'use cases' in your physical life and you would be unlikely to choose to have the same key for all of your valuables.You just need to apply this same principal for your online keys (passwords) - this means using different keys (passwords) for different online accounts e.g. email, banking, online shopping and social media accounts (more on how to make this easy to manage later).
2. You have covered the 'what ifs' in terms of your house keys or car keys falling into the wrong hands.
In the example above we looked at how you might have thought about what you would do if you thought your house key had fallen into the wrong hands and what the implications could be of that event (based on what that key was protecting).
You should also have a think about this for your online keys (passwords). For example, maybe you are storing a scan of your passport and identity card in your email (you sent this in an email to a real estate agent for a rental application in the past). Imagine if someone got the ‘key’ to your email - this would be the equivalent of them getting the key to your house AND your filing cabinet and knowing your address. However, unlike the physical world, where you might see evidence of a break in, in the online world, you might never know that they were able to access these documents AND take a copy of them, until they started to use this information to impersonate you (we will cover this in more detail in a later blog on online identity theft).
3. You add an extra layer of security around your keys if required
Like the alarm that needs a pin code and will potentially alert you if someone unauthorised tries to access your building, you should also considering adding extra layers of security around your digital keys (passwords).
The equivalent in the online world, is something known as Two Factor Authentication (2FA). This is where, instead of a static alarm code that only you/trusted family members/employees know, a once-off code is sent to your phone which you need to enter to access your online accounts. This is usually sent to an 'authentication' application (such as google authenticator), or perhaps via text message - this means only you can see it. Once this is set up, you won't typically need to enter a code in addition to your key (password) every time you need to access your account, just when something changes e.g. you log in from a different computer.
The good news is that unlike the physical expense you might need to go to, to buy and set up an alarm for your house or business (and also potentially pay an additional fee for alerts sent to you if there are intruders), in the online world this service is absolutely free so you might as well set it up!
You will need to be prepared to invest some time upfront in setting this feature up for your accounts but I assure you this time will be well spent - it will provide you with an extra pair of eyes, alerting you if someone tries to access your online accounts and stopping them from doing so, because without the code that is only received on your phone, they can't get in to your account. Since turning this on several years back, I've received countless notifications of attempts to access my email and social media sites from countries I have never even visited - it was so reassuring to be able to say 'no this wasn't me' and have the piece of mind knowing they hadn't been able to get into my accounts.
You can read more about 2FA via the helpful guide from the UK’s National Cyber Security Centre (NCSC) and there is another good site called turn on 2FA that takes you through step by step how to get this working for your online accounts. Like those physical alarm panels that are all slightly different in terms of how the operate, each online site might have a different way of turning this Two Factor Authentication feature on. It is worth noting that unfortunately, not all online sites offer Two Factor Authentication yet, so you will need to make sure you always have a unique and secure key (password) we will cover the details on how to do this later in the blog.
4. When you do find out your key has been lost or stolen, you enact your plan to recover from this
As we explored earlier, you generally have a plan of what you will do if your physical keys are lost, stolen or compromised in some way. You should absolutely apply the same principal in the online world and apply a sense of urgency to compromised online keys (passwords), especially if they were being used to protect online accounts where you might be storing information valuable to cyber criminals or where you might have used that key (password) on more than one account. We will go through how to identify compromised online keys (passwords) next (point 5).
The good news is, it is also a lot easier to change your key (password) in the online world than is to change your key in the physical world and even better, it is also free! (more details later in the blog).
5. You proactively check on your keys
I am sure like many people, you proactively tap your pocket or look in your handbag to check your keys are in there, so you need to do this same proactive check for your digital keys (passwords).
Thankfully there is also a really easy way to proactively check up on whether any one of your keys (passwords) has been compromised via this wonderful website from Troy Hunt.
On Troy's site, you can type in your email address and it will right away let you know if your email address has ever been compromised in a data breach, because if it has, it is likely your key (password) or other details went with it too.
If anything comes up on your search, you will need to immediately change the keys (passwords) you use for that site if you haven't already done so (for example if you received an email from the site that was compromised advising you to do so AND you followed up with the action!).
If you were using that site key (password) on any other websites it is also important to change the passwords for those other sites too.
Thankfully I double checked and I had changed these passwords in response to these breaches at the time, but it was a good opportunity to do an audit and check again, to make sure I hadn't missed any.
I remember when I found out about these breaches at the time I asked myself - should I even care if someone was able to log into my MyFitnessPal account and see what exercised I had tracked? I then reminded myself that I should care because:
- Cybercriminals could have used this combination of my email and key (password) to access other (more lucrative) accounts of mine if I was re-using that same key (password) on those other sites - hence the importance of not using the same key (password) for multiple sites.
- This information would have value to cyber criminals, even if they didn't intend to use it directly themselves, because they could sell this on a place called the Darknet/Darkweb
Now, if like many people, you need to create a new key (password) after visiting Troy's site, you definitely don't want to be using any of the passwords that cybercriminals have on their list already. Think of this list as being the like one big 'skeleton key' or 'masterkey'. enabling cyber criminals to easily try their luck with keys (passwords) we might already be using.
You can visit this recent blog post from the UK's National Cyber Security Centre (NCSC) if you are keen to see the complete list but if not, this screenshot should give some great insights into the sorts of passwords (keys) that you don't want to be using:
What about those websites that make you use capitals, numbers and special characters? are they not secure passwords?
Cybercriminals unfortunately know the
patterns we often use when we are forced to create a password with special
characters, numbers and capital letters.
According to Troy Hunt and some Microsoft research cited on Troy's website, cyber criminals know we will normally start with something simple then change it to suit the website's password requirements. When we do this, we tend to follow a pattern and put a capital letter first, symbols last and a number in the last 2, or we will substitute symbols for a letter such as $ for s, @ for a and so on.
For example, if you decided to cut a key (create a password) starting with the suburb you live in - let's say it's called St Neots - this is how you might build the password to meet the site's criteria of at least 8 characters, of which one must be uppercase, one a special symbol and one a number:
Stneots -> Stneot$ -> Stneot$12
We will cover the types of passwords (keys) you should be creating in a moment...but I would just like to take a moment to say thank you to Troy Hunt - he really does do some incredible work in providing this free service to the community and is a true cybersecurity hero!
Now for some of the differences to be aware of when it comes to online ‘keys’ v’s your physical keys:
1. You generally have to 'cut' the key yourself
Unlike the key to your new house that you picked up from the real estate agent, when you sign up for a new online account, you will be asked to create a key (password) yourself. This is both a great opportunity and a great responsibility.
Sometimes the website you are using will prescribe a ‘template’ for the key (password) you need to create where they tell you it has to be so many letters, characters etc as described above.
We covered off early the types of key/passwords we should be avoiding earlier but for the best advise on how to cut a secure key (password) online I turn again to my go-to source - the NCSC in the UK and below is their verbatim and most recent advice on creating a strong password ;
Use three random words to create a strong password
A good way to create a strong and memorable password is to use three random words. Numbers and symbols can still be used if needed, for example 3redhousemonkeys27!
Be creative and use words memorable to you, so that people can’t guess your password. Your social media accounts can give away vital clues about yourself so don’t use words such as your child’s name or favourite sports team which are easy for people to guess.
If you are one of those people who have selected something that is easy to remember for your online keys (passwords) like a pets name or password 123456 or ever reused a password, don't be too hard on yourself - we are all human and tend by our nature, to select the easiest way around something. It hasn't helped that up until recently we were expected to remember all of these different keys (passwords) in our head but thankfully there are now solutions that can help which we will cover in the next point (2).
Note: an added complication can sometimes be that the online world has changed it's mind about what is 'secure' when it comes to your online keys (passwords) so this can cause confusion because some websites might not have caught up with the latest advice and simply won't allow you to create a key (password) in line with the advice above for example if you choose 3 random worlds and this takes you over their character limit. If this happens, try not to worry too much, remember the internet has only been around for a couple of decades so we are still learning. What you can do in this scenario is:
- Turn on (if available) the second layer of security we talked about earlier (Two Factor Authentication - the alarm code and monitored alerting system for your online accounts)
- If 2FA is not available on the site, consider voting with your fingertips and taking your business elsewhere - you should expect business to take the security of your information seriously.
2. You will need to store your keys differently
Unlike the physical world where you have 1 or 2 key rings probably hung up in the hallway somewhere where you can see and find them ....
According to Troy Hunt and some Microsoft research cited on Troy's website, cyber criminals know we will normally start with something simple then change it to suit the website's password requirements. When we do this, we tend to follow a pattern and put a capital letter first, symbols last and a number in the last 2, or we will substitute symbols for a letter such as $ for s, @ for a and so on.
For example, if you decided to cut a key (create a password) starting with the suburb you live in - let's say it's called St Neots - this is how you might build the password to meet the site's criteria of at least 8 characters, of which one must be uppercase, one a special symbol and one a number:
Stneots -> Stneot$ -> Stneot$12
We will cover the types of passwords (keys) you should be creating in a moment...but I would just like to take a moment to say thank you to Troy Hunt - he really does do some incredible work in providing this free service to the community and is a true cybersecurity hero!
Now for some of the differences to be aware of when it comes to online ‘keys’ v’s your physical keys:
1. You generally have to 'cut' the key yourself
Unlike the key to your new house that you picked up from the real estate agent, when you sign up for a new online account, you will be asked to create a key (password) yourself. This is both a great opportunity and a great responsibility.
Sometimes the website you are using will prescribe a ‘template’ for the key (password) you need to create where they tell you it has to be so many letters, characters etc as described above.
We covered off early the types of key/passwords we should be avoiding earlier but for the best advise on how to cut a secure key (password) online I turn again to my go-to source - the NCSC in the UK and below is their verbatim and most recent advice on creating a strong password ;
Use three random words to create a strong password
A good way to create a strong and memorable password is to use three random words. Numbers and symbols can still be used if needed, for example 3redhousemonkeys27!
Be creative and use words memorable to you, so that people can’t guess your password. Your social media accounts can give away vital clues about yourself so don’t use words such as your child’s name or favourite sports team which are easy for people to guess.
If you are one of those people who have selected something that is easy to remember for your online keys (passwords) like a pets name or password 123456 or ever reused a password, don't be too hard on yourself - we are all human and tend by our nature, to select the easiest way around something. It hasn't helped that up until recently we were expected to remember all of these different keys (passwords) in our head but thankfully there are now solutions that can help which we will cover in the next point (2).
Note: an added complication can sometimes be that the online world has changed it's mind about what is 'secure' when it comes to your online keys (passwords) so this can cause confusion because some websites might not have caught up with the latest advice and simply won't allow you to create a key (password) in line with the advice above for example if you choose 3 random worlds and this takes you over their character limit. If this happens, try not to worry too much, remember the internet has only been around for a couple of decades so we are still learning. What you can do in this scenario is:
- Turn on (if available) the second layer of security we talked about earlier (Two Factor Authentication - the alarm code and monitored alerting system for your online accounts)
- If 2FA is not available on the site, consider voting with your fingertips and taking your business elsewhere - you should expect business to take the security of your information seriously.
2. You will need to store your keys differently
Unlike the physical world where you have 1 or 2 key rings probably hung up in the hallway somewhere where you can see and find them ....
In the online world, you will need to store your keys (passwords) in a different way to physical keys and this is something new that we are understandably less familiar with.
We also need to remember what our online keys (passwords) actually look like and there are generally many more of them to remember, compared to our physical keys. I just did a quick count and I personally have over 100 different keys (passwords) for all the different accounts and services I have in my online life (in contrast I have about 20 different physical keys).
The good news is, the online world has come up with a solution for these challenges called a password manager.
The NCSC provides brilliant overview on password managers and their benefits which I highly recommend you read. I promise this will take around 2-5 mins of your time BUT it will be so worthwhile as this is your ticket to making your life so much easier when it comes to managing multiple AND secure keys for your online accounts.
Just remember that if you choose to use a password manager or browser based password management, make sure you are following the guidance in the link above on how to protect them well.
3. Criminals don't actually need to physically go to the address to commit crime using your key (password) in the online world.
We covered this concept in my last blog where we looked at the differences between physical and online criminals and how they can commit crime from anywhere. This is why it is even more important, to proactively check on your online keys (passwords) as we discussed above.
4. You can easily change your keys (passwords) in the online world
Unlike the physical world where you might have to change the key/lock if your keys become compromised which can be very expensive, most online sites have a mechanism to help you if you either lose (forget) your online keys (passwords) or if you discover they are compromised via Troy Hunt's site or via a notification from the provider that was compromised.
In fact, you have probably used this service yourself already, if you have ever had to reset a password for one of of your online accounts.
I used this service a lot before I invested in a password manager. I was doing my best to create secure passwords for myself but this often got me locked out of my accounts, because I couldn't remember them all! many times I found myself having to enter my email and get a link to reset my password (usually for an online account I hadn't used in a while).
Whilst it can feel like a drag at the time, as you just want to get into your account and get on with that purchase, just remember, this process is generally a lot less hassle than the process you have to go through with your physical keys of changing the locks.
Next Steps
I hope this has helped you to feel more confident about your ability to manage your online keys (passwords) and that you recognise that you have the knowledge from your physical world that you can use in the online world.
If you do nothing else today, I would strongly encourage you to visit Troy's site and find out if your details have ever been involved in a data breach. At least then you are empowered with the knowledge and can do something about it if you choose to - specifically to change those keys (passwords) if they were involved in a data breach and any other sites using that same key (password).
If you are lucky enough to find that your details haven't been involved in a breach so far, it is best to assume that they will be at some point and ensure you take the opportunity to do a quick audit today:
- do my passwords meet those recommended standards? (3 random words that are nothing to do with my pet, children, favourite football team, where I live or anything someone could know about me via social media)
- Are any of my passwords on the list of bad passwords shared above like 123456, liverpool etc (or similar to those on the list)
- are they being reused at all across different online accounts e.g. email, social media?
Once you have done that, maybe take some time to consider the current state of your online key (password) cutting, storage and protection processes and have a think about what you could put into practice to improve them in the future. For example, turning on that alarm code and notification feature (Two Factor Authentication) for your online accounts or using a password manager to help you more easily create and manage strong keys (passwords).
Remember, just like guidance from the police, on how best to protect yourself from the crime happening in your area, guidance can and will likely change when it comes to best practice for your online security. Make sure you follow a trusted source of information on best practice - I follow the UK's NCSC on LinkedIn and Twitter. In Australia Stay Smart Online has a Facebook page you can follow and if you are reading this outside of the UK or Australia you will likely have an equivalent service in your country.
All the best,
LV
Disclaimer: I’ve used the term ‘key’ when describing passwords as this analogy best aligns to the function of a password when comparing this to an equivalent in our physical lives. There is such a concept in the online world of a ‘cryptographic key’ but this relates to something that is used by software and is not generally readable by humans (unlike passwords). This is quite an advanced area of cybersecurity called cryptography which can be covered in future blogs if the demand is there!
