Cybersecurity Series: Not only a good password can save you a lot

Today, each of us has a lot of passwords for different services. One for the computer, the other for the e-mail box, for logging in to social networks or various websites. Of course, it is almost impossible to remember them all, so a large percentage of people use the same password wherever possible. For example, you know that according to the latest surveys, the winner among passwords in the Czech Republic is: "username or family member's name" with more than 22% among other passwords. With more than 45% of users using the same password for multiple services, we can only imagine the potential impact in this one example.

A good example is my wife. She uses the same password for the website where she buys clothes, the same for buying books and food over the internet and on facebook. What threatens her? Someone can post an inappropriate video on her Facebook profile, or publish opinions that my wife does not share. Quite simply, they steal her identity, she will never get her profile back. On the payment portal, where she has stored cards, the attacker will use this information to his advantage… Fortunately, my wife was persuaded and changed her password and set up a multifactor login wherever she could. In IT security terminology: she minimized the risk.

Can you guess the consequences of your stolen passwords?

Due to the nature of our work in the field of cyber security, we still monitor various password leaks and their publication on public or "non-public" (darkweb) parts of the Internet. If we look at the current numbers, the total number of stolen passwords is in the tens of millions and of course it is possible to find these also in the Czech environment.

Of course, this is also monitored by large players, and they also monitor and integrate these resources into their services. For example, in Chrome you are notified of a compromised password.

The solution to this problem is certainly not pleasant for every user. It is impossible to remember hundreds of passwords and it is also not appropriate to use passwords written in the calendar. From my own practice, I can recommend using different passwords for different services. Store these passwords in services that allow them to be stored securely. Nowadays, a large number of services can send a forgotten password. Yes, you're waiting tensely at your computer for your password to run out, but it's worth the wait.

Another very good solution is, of course, to use multifactor login. And preferably wherever possible. Using multifactor login for example in a corporate environment, private email or profiles on social networks is not much different than, for example, login to a bank. The only difference is that the second factor is not always required, but only at a certain interval. This means not only addressing access to the corporate environment, but also reducing the risk of, for example, the unauthorized transfer of a profile on a social network and the possibility of impersonating someone else.

Finally, I add recommendations to observe the following points:

  • The password should not be shorter than 8 characters.
  • The password should contain uppercase, lowercase letters, numbers and special characters.
  • Do not use the same passwords in multiple services.
  • Use multifactor login wherever technically possible.
  • If possible, do not use passwords that can be associated with your person or the environment.
  • Check the password against the lists of leaked passwords.