Last Friday the Australian staff of one of our clients received a Cyber Security talk from one of our partners, Layer 8 Security (https://layer8security.com.au/).
Included in that talk was information about password security. Some of you have queried me about Layer 8’s recommendations. It’s important to realise that Layer 8 will certainly want you protected from all worse case scenarios.
In an attempt to clear up some ambiguity and share some of the details to people who were unable to attend, I would recommend everyone consider the following when it comes password best practice.
This applies to all your passwords both personal and work related.
- Firstly, the same password for every single website including Banking, Social Media, Email and work would be considered very bad practice.
- I recommend reviewing the site or service your logging onto. If the service is Email, contains confidential information, or access to anything financial, I would suggest applying different passwords for each one.
- I would recommend the use of a passphrase to aid recall. As recommended by Layer 8, use a passphrase but rather than use the whole phrase including spaces, use the first letters and then add a category…
The phrase “From the ocean to the Silver City” >Ft0ttsc
for NAB banking > NFt0ttsc
for Facebook > FFt0ttsc
- Instead of a passphrase you can still use your existing passwords, but just add the category to create uniqueness.
- Don’t use dictionary words as these can be easily cracked, instead replace e’s as 3, o’s as 0, s’s as 5, b’s as 8, a’s as 4, I’s as 1.
- Always make sure your email password is completely different from passwords used on the Internet.
- Look to change the password / phrase once a year.
- Also use MFA on important websites.
- And utilise password managers such as 1password and Lastpass.
The reason why we need to do this…
In 2012 LinkedIn was hacked and passwords for 6.5 million users were published on the darknet. If you were registered with LinkedIn prior to 2012 and your still using the same password, change it NOW!
The same scenario occurred to the following high profile companies in 2012 with Dropbox, 2013 with Adobe and Sony in 2014. If you want to see a complete list to ensure this really sinks in, have a look at this list… https://haveibeenpwned.com/PwnedWebsites
So why care? Well hackers use these lists to attempt to login to other sites. They also use the lists to spam and to undertake spear phishing campaigns. Scammer have also been known to list the passwords in the email as an extortion attempt.
If you would like to search whether you’ve been compromised,you can search your email address on the same site… https://haveibeenpwned.com/.
Search on all your email addresses including work and personal.
Now if it shows your email has been breached (or Pwned!), don’t worry, just take the time to change your passwords as recommended above. These companies are well known and the user base is large so it’s not unusual to be listed.
If you’re unsure of anything, please chat to us.