Has your Password Been Compromised?

From work accounts and social media to online billing, banking and emails, most Australians have hundreds of accounts containing personal information which require usernames and passwords.

Robert De Nicolo, Cisco's director of cyber security for Australia, said 81 per cent of breaches typically involve weak or stolen credentials from passwords.

Prompted by World Password Day in May, we take the opportunity to remind readers of the importance of strong passwords, how to achieve this, and how to check if your password has been compromised.

How to check if your password has been compromised

We recommend using Pluralist Information Security Author, Troy Hunt's email and password assessment site, https://haveibeenpwned.com/

• haveibeenpwned is a free resource to quickly assess if you may have been put at risk due to an online account of yours having been compromised or "pwned" in a data breach.
  
• A "breach" is an incident where data has been unintentionally exposed to the public, more often than not as a result of a cyber attack.
  
• If your email address has been pwned in a data breach, change your password for that service to something strong and unique immediately.
  

The Basics of Creating a Secure Password

In previous articles, we have discussed the fundamentals of how to create a secure password. Let's touch on them again below.

1. The longer the better:  At a minimum, you should have 8 characters in your password or passphrase, however, we recommend 12 or more.

2. Complexity: Adding numbers and characters greatly increases the strength of a password, as does a combination of lower and upper case letters.

3. Avoid repetition: Try to avoid creating a complex password, then incrementing it by one character each time you’re asked to change it. And remember - it is essential not to use the same password across multiple devices and systems. This is where the use of a password manager program can come in handy.

4. Avoid obvious words/phrases: It concerns us that we still have to say it, but don't create passwords using obvious phrases like “Password1", "QWERTY", "asdfjkl", "abc123". Dictionary brute force cyber attacks start with these obvious phrases.

5. Don’t write it down: Don’t record your password anywhere, especially not on a post-it note on your desk!

Recommendations from the Australian Cyber Security Centre

To mitigate cyber security incidents caused by password breaches, the Australian Cyber Security Centre (ACSC) advises the following:

• Require all users to periodically reset passwords to reduce the ongoing risk of credential compromises.
• Consider increasing password length and complexity requirements to mitigate the risk of brute-force attacks being successful.
• Implement a lockout for multiple failed login attempts.
• If credentials have been compromised, reset passwords as soon as possible.
• Discourage users from reusing the same password across critical services such as banking and social media sites, or sharing passwords for a critical service with a non-critical service.
• Recommend the use of passphrases that are not based on simple dictionary words or a combination of personal information: this reduces the risk of password guessing and simple brute-forcing.
• Advise users to ensure new passwords do not follow a recognisable pattern: this reduces the risk of intelligent brute-forcing based on previously stolen credentials.

Educate your employees on the importance 

The ACSC also recommends prevention techniques such as clearly documenting cyber security policies and cyber security awareness training for all employees.

The purpose of Cyber Security Awareness Training is to educate staff about cyber threats and attacks they may be subjected to each day, including the importance of good password hygiene. 

Cyber security awareness training also ensures that you and your employees understand the part everyone must play in protecting your organisation and client’s data.

How can Diamond IT help?

If you want to educate your employees on how to create and maintain secure passwords, our staff education programs and policy and procedure reviews can help. Our Business Technology Consultants are specialists in improving your internal cyber security.

• Cyber Security awareness training 
• Cyber and Data Breach consulting and forensic analysis
• Disaster Recovery (DR) planning 

If you need advice on how you can ensure your cyber security strategy is fit for purpose, our team of cyber security experts are ready to help. Contact our team on 1300 307 907 today.