Why passwords alone are not enough!
There has been a significant increase in cyberattacks against companies, private individuals, and interested parties in recent years. The criminals are where they find a market, and it is believed that the corona pandemic has exacerbated this largely – simply because other areas have not been as accessible.
It is well known that password leak is one of the common reasons we experience compromised accounts such as e-mail, social media, and the like. This is especially where we see a significant increase.
Password leakage means that prominent players with many user accounts get a data breach where criminals can obtain all or part of the database with username and passwords. These databases are typically sold or distributed to other criminals who begin to exploit them.
The passwords in these databases are correctly encrypted (hashed), but since they have an “offline” copy of these databases, they can calmly work on cracking (brute-force) these passwords.
The strength of the encryption (hash) determines how long this takes, but in theory, they will crack each hash depending on the number of computing resources.
It is essential to protect yourself adequately, and we know that passwords alone are not enough!
Password hygiene
1. A password that is easy for humans to remember but difficult for computers to guess
A few years ago, we said that a good password would consist of a random combination of lowercase and uppercase letters and special characters. Preferably as cryptic as possible. Minimum 6 or 8 characters.
An example of such a password is q4Xc63a!
For 20 years, we have taught users to create passwords that are difficult for humans to remember but easy to guess for computers (see ingress image).
What if we instead use the following password: I want to be secure
Compared, this password is 19 characters against 8 in the first. The password is much longer and takes exponentially much longer to crack. Finally, it’s much easier to remember!
We can quickly advance by adding spaces: I want to be secure.
Then the password is 29 characters, without significantly harder to remember!
2. Use different passwords in different places.
You have probably heard the advice to use different passwords in different places many times. But this is the underlying reason why this type of attack has such a significant intervention.
Imagine that you have a fixed password that you use in most places. You use it on e-mail, online banking, the alarm company on social media, and more. Potentially, you might be able to tell 20-30 places where you have the same password.
If one of these sites gets a password leak, you are potentially compromised everywhere, and an attacker could do significant damage.
This advice is, of course, very demanding. Remembering 20-30 different passwords later to be an impossible task, but this is where the following advice comes with a solution.
3. Use a password manager
A password manager is a service/software that keeps track of your passwords. You create an account and create a strong “master” password. Do not use this password anywhere else.
Then store the passwords of the other services in the password manager. The password manager is often integrated with the browser, making it easy to autofill the password when logging in to various services.
Also, be sure to change the passwords of the various services to unique solid passwords.
The password manager often has a feature to generate random strong passwords for you. This means that you do not have to deal with these passwords or what they should be. This makes it easy to have different passwords on different services without inventing a new password every time – the only thing you must remember is your “master” password.
The password manager often has several other helpful functions that give you advice if they think you have a weak password, such as detecting if passwords you are using have been leaked.
Some will probably ask themselves, “Is it a good idea to put all the passwords in a password manager? What if there is a leak there?”
The answer is that a good password manager has excellent functions to secure against this. Thus, the probability is microscopic compared to continuing as before.
There are many different password managers, and it is essential to choose good and reputable ones. I do not want to point out specific services in this article – do some research and consult with experts.
Multi-factor authentication (MFA)
If you follow the advice regarding password hygiene, you are much better equipped than if you had not done so. But as the title of this article suggests, passwords alone are no longer enough to be safe.
The only way to be safe “enough” today is to use multi-factor authentication. This means that you use other factors to log in to a service. It can be an app-based solution, SMS, BankID, or something else.
This means that an attacker will not be able to log in to your account with only passwords. The banks have been doing this for years (with BankID), and we consider these safe.
Multi-factor authentication depends on the service in question, and different services support different solutions. Some services do not support it (yet). Therefore, password hygiene is just as important anyway – At least make sure to have multi-factor authentication on the essential services and where possible.