May 2 is World Password Day – traditionally the day you are supposed to change your passwords.
Simply coming up with a new password won’t ensure absolute security, though, especially if your new choice of password is weak.
Liverpool football fans pay the penalty
For example this year fans of Liverpool football club have paid the penalty for using their team’s name.
A study of breaches last year found that about 280,000 accounts had “Liverpool” as the password — more than any other Premier League team, according to a report by the National Cyber Security Centre (NCSC).
Chelsea fans were compromised in a similar way more than 216,000 times, while supporters using “manutd” were caught out on 59,000 occasions. Blink 182 was the most common music act.
A staggering 23million people worldwide were discovered to be using “123456” as their password, and another 3.6m had “password” as their password.
Millions of people are still using easy-to-guess passwords. Other favourites for cyber-criminals to exploit are sunshine, qwerty, iloveyou and Superman.
The most common name used in a password was revealed to be Ashley, followed by Michael, Daniel, Jessica and Charlie.
Check if your account has been compromised
Security researcher Troy Hunt – whose website Have I Been Pwned allows users to check if any of their accounts have been compromised in cyber attacks by collecting data from those breaches – insists internet users need to be more creative in their approach to passwords.
Experts recommend you have a different password for every account – and these passwords should be secure, which means long, complicated and really hard to memorise.
Tips for a strong password
When it comes to creating your own, safe password, one way is to choose a random sentence, that you can remember, and then choose the first letter or number or character of each word and make the combination of these your password.
An example of this could be: “Stay secure by creating random passwords 100 per cent of the time!” The password is then: Ssbcrp100pcott!
NCSC technical director Dr Ian Levy said: “Using hard-to-guess passwords is a strong first step and we recommend combining three random but memorable words. Be creative and use words memorable to you, so people can’t guess your password.”
For a strong password, Microsoft recommends the following tips:
- At least 8 characters long
- Does not contain your user name, real name or company name
- Does not contain a complete word
- Is not similar to your other passwords
- Contains, uppercase and lowercase characters, numbers and symbols
The biggest password mistakes
Unfortunately people typically write down difficult-to-remember passwords – and in some cases even stick a note to the monitor.
So instead of providing much-needed security, passwords can end up being the very cause of a security risk.
The number of passwords required has grown significantly with the increasing number of accounts, apps, websites, devices that we use.
Using the same password for more than one access control requirement is particularly unwise as it jeopardises your data protection.
One answer is to make use of a password manager or a password generator.
If you do this, make sure that the password manager will keep your passwords in encrypted form so as to prevent eavesdroppers from snatching them.
It’s worth remembering that there is a form of malware known as a key logger. These programs run in the background, recording all your keystrokes for an attacker to exploit.
So it’s good practice to use a password generator/manager that enters the password on your behalf without the use of keystrokes.
The NCSC report reveals that young people are more likely to be privacy conscious and careful of what details they share online.
With no fool-proof protection, speed of recovery is crucial
The sad truth, though, is that even with the greatest will in the world, there is no fool-proof way to stop cyber-criminals.
How quickly an organisation responds to and recovers from a disaster caused by a potential password breach will ultimately define a business.
No-one can afford to risk catastrophic fines or reputational damage.
Thankfully, the technology exists to recover protected data instantly. So should an individual or organisation suffer a malware or ransomware attack – downtime and disruption are no longer an issue.
With Redstor – unlike other data management solutions – there’s no need for an organisation to restore all of their data before starting to operate again. Selected files can be streamed on demand, enabling employees to continue working seamlessly 24/7/365.
So, even though password security and strong protection against malware are very important, forward-thinking businesses never allow their focus to stray too far from how quickly they can recover from an attack and maintain instant access to their data.