Passwords are both a curse and a blessing
tete_escape/Shutterstock
Passwords occupy an odd place in our lives. They’re both a blessing – keeping our data and information safe from anyone intruding into our IT systems and accessing them – and a curse, in that they’re often difficult to manage and tricky to remember. Cybersecurity expert Jake Moore at ESET, a European cybersecurity firm, is here with three tips to help you rethink your relationship with passwords – and hopefully keep hackers at bay.
1. Use a password manager, even if it feels counterintuitive
I’m a big fan of password managers, and I think they’re wildly underused. Depending on where you are in the world, and who’s doing the study, only around one-third of people use password managers. That to me seems a criminally low number. They’re a gamechanger. They give you the ability to create long passwords for your account and to store them securely. They’re so good at generating the passwords for you, you don’t have to think of one.
That’s important because we know that when people are asked to come up with their own passwords, they tend to rely on things or words they know – all of which could be information a hacker or bad actor could have on you, and could make you vulnerable. They also nullify another big risk, which is people reusing passwords across accounts. If a password is used by someone else, even just one person, and that person’s account is breached, it can end up in the tables of vulnerable passwords that are used to try and probe and test getting access to accounts.
I sometimes wonder why people don’t use password managers more. It might be that they misunderstand how password managers work, thinking that storing passwords online somewhere that can be unlocked with a single password is insecure. But it’s not. The vault in which the passwords are stored isn’t just a simple list of passwords sitting on a server: your data is encrypted on your device with a strong key derived from your master password, and what’s stored online is the scrambled cipher text, which even the password manager provider can’t read without that key.
2. Multi-factor authentication is an absolute must
Even with the strongest password in the world – and national cybersecurity agencies recommend that a combination of between 14 and 16 different characters is enough to dissuade drive-by attacks – it’s still possible to fall victim to hackers. Multi-factor authentication (MFA) adds a layer of friction for hackers to make sure that any login you make is approved by you, the user.
It’s an extra layer of security, such as a code to your phone. It can be done via SMS text message, but that’s not as a secure as the other levels. Authenticator apps are to me a wonderful next level in MFA, and it’s a shame people aren’t forced to use it. If we think about Instagram, for example, they only inform once you hit 10,000 followers about the need to use MFA. It’s as if they’re thinking, ‘Well, if we enforce it at 10,000 followers, they’re going to do it because they don’t want to lose their 10,000 followers. But if we enforce them to do that at signup, when they have zero followers, they might get bogged down by it and not open an account.’ That to me is absurd.
We shouldn’t be putting people’s ease of use ahead of security, and until we enforce it, we will still see people frantically worried about their social media accounts or any of their accounts being compromised. So turn on MFA wherever it is offered.
3. Where you can, avoid passwords entirely
Passwords are far from perfect – and handily, there’s a more modern, secure alternative that’s being adopted with increasing pace. We’re moving towards a passwordless society, and that’s a move in the right direction.
This alternative is passkeys, and the beauty of them is they remove a lot of the human error from the equation. Instead of typing in a password, you sign in using your device or a secure key stored on your phone, often with a fingerprint. Behind the scenes, cryptographic keys do the hard work, but the user doesn’t see that – it stays simple. The simplicity is why they’re such a gamechanger: they take away the temptation to reuse an old password or add a predictable number on the end of something familiar.
In some ways, they’re too easy. When I talk to people they’re suspicious of passkeys because they seem too simple. If it feels simple for them, they assume it must be simple for a criminal too. But that’s not how it works – the tech behind the scenes is working far harder than you need to.
Passkeys aren’t yet available everywhere, and there are still pain points, especially if you lose a device. But overall, passkeys are a major step forward because they remove one of the oldest and weakest links in security – the password itself.
As told to Chris Stokel-Walker
Topics:
