Home
Science
The 3 things you need to know about passwords, from a security expert
Science

The 3 things you need to know about passwords, from a security expert

4 hours ago No Comments


Passwords are both a curse and a blessing

tete_escape/Shutterstock

Passwords occupy a strange place in our lives. They are both a blessing – keeping our data and information safe from anyone who breaks into and accesses our IT systems – and a curse, because they are often hard to manage and hard to remember. Cyber ​​security expert Jake Moore at ESET, a European cyber security firm, is here with three tips to help you rethink your relationship with passwords – and hopefully keep hackers at bay.

1. Use a password manager, even if it feels counterintuitive

I’m a big fan of password managers, and I think they’re wildly underused. Depending on where you are in the world, and who is doing the study, only about a third use password managers. That seems like a criminally low number to me. They are a game changer. They give you the ability to create long passwords for your account and store them securely. They are so good at generating passwords for you that you don’t have to think of one.

That’s important because we know that when people are asked to come up with their own passwords, they tend to trust things or words they know – all of which could be information a hacker or bad actor might have about you, leaving you vulnerable. They also eliminate another major risk, which is people reusing passwords across accounts. If a password is used by someone else, even just one person, and that person’s account is breached, it can end up in the tables of vulnerable passwords used to try and test accessing accounts.

Sometimes I wonder why people don’t use password managers more. It may be that they misunderstand how password managers work, and think that it is unsafe to store passwords online in a place that can be unlocked with a single password. But it isn’t. The vault where the passwords are stored is not just a simple list of passwords sitting on a server: your data is encrypted on your device with a strong key derived from your master password, and what is stored online is the encrypted ciphertext, which even the password management provider cannot read without that key.

2. Multi-factor authentication is an absolute must

Even with the strongest password in the world—and national cybersecurity agencies recommend that a combination of between 14 and 16 different characters is enough to discourage drive-by attacks—it’s still possible to fall victim to hackers. Multi-factor authentication (MFA) adds a layer of friction for hackers to ensure that every login you make is authorized by you, the user.

It’s an extra layer of security, such as a code for your phone. It can be done via SMS text message, but it is not as secure as the other levels. Authenticator apps are, to me, a fantastic next level in MFA, and it’s a shame people aren’t forced to use it. If we think about Instagram, for example, they only inform when you hit 10,000 followers about the need to use MFA. It’s like they’re thinking, ‘Well, if we enforce it to 10,000 followers, they’re going to do it because they don’t want to lose their 10,000 followers. But if we force them to do that at signup, when they have zero followers, they might get stuck with that and not open an account.’ It’s absurd to me.

We shouldn’t put people’s convenience before security, and until we enforce that, we’ll continue to see people frantically worried about their social media accounts or having one of their accounts compromised. So switch to MFA wherever it is offered.

3. Avoid passwords entirely where you can

Passwords are far from perfect – and practical, there is a more modern, secure alternative that is being adopted at an increasing pace. We are moving towards a password-free society, and it is a move in the right direction.

This option is access keys, and the beauty of them is that they remove much of the human error from the equation. Instead of typing in a password, you sign in with your device or a secure key stored on your phone, often with a fingerprint. Behind the scenes, cryptographic keys do the hard work, but the user doesn’t see it – it remains simple. Simplicity is why they are such a game changer: they take away the temptation to reuse an old password or add a predictable number to the end of something familiar.

In some ways they are too simple. When I talk to people they are suspicious of passwords because they seem too simple. If it feels easy to them, they assume it must be easy for a criminal too. But that’s not how it works – the technology behind the scenes works much harder than you need to.

Access keys are not yet available everywhere, and there are still pain points, especially if you lose a device. But overall, passwords are a big step forward because they remove one of the oldest and weakest links in security – the password itself.

As told to Chris Stokel-Walker

Topics:

Related Posts

About The Author

Emily
More from this Author

Add Comment

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by