Do you have an IT-related question that needs answering? Ask away.

Traditionally these sorts of resolutions have revolved around improving health and quitting things that do us no good. But this year, rather than trying to stop smoking, or becoming a vegan, why not clean up some bad password hygiene? Why not make one change that may not cut inches from the waist, but might improve your cyber security strength?

2020 has shown that cyber-crime is a growing threat in the world, and one of the easiest and simplest changes everyone can make to improve their security is to enhance their passwords.

Did you know 59% of people use the same password for everything? And out of these passwords, you’d be surprised at how many of them are commonly used.

A government investigation, carried out by the National Cyber Security Centre, found the most hacked passwords globally, and the results are, well, predictable.

Believe it or not, the most commonly hacked password is,123456, with 23.2 million cases. In second place, 123456789, with 7.7 million cases. Other honourable mentions include ‘Liverpool’, ‘Chelsea’, ‘Batman’, ‘Blink182’, and of course, ‘password’ – yes, there are 3.6 million cases where the password was ‘password.’

Something as important as personal data, shouldn’t be protected by something as easy to guess as a football team, first name, or the word ‘password.’

Why? Because 90% of passwords can be hacked in less than six hours. 

And once cracked, a hacker can access emails, personal data, contacts, social media, payment methods, and addresses – of course, if the same password is used for everything, then the impact becomes greater as the hacker can access all these examples simultaneously.

In a work environment, this is especially risky due to the types of information that could potentially be stored on a work device. Employees should have strong passwords that only they know. Research has shown that 18% of employees share their passwords amongst each other to collaborate or, in some cases, because this was ‘company policy.’ These factors make for very bad password hygiene in the workplace.

So what is good password hygiene?

Outdated methods would have us believe that a 14-character password, with a small mixture of letters and numbers, is strong enough to secure your accounts. So, something like Walesrugby1999 would be good enough. In the modern world, this quite clearly isn’t good enough, especially in a workplace environment where these passwords protect sensitive data.

A good password can be explained by breaking passwords down to their fundamentals and detailing how exactly their strength is measured.

The randomness of data is called Entropy, which is measured in Bits. This sounds complicated but it’s relatively easy to understand. Here’s an example – a coin toss, which has two outcomes to guess, heads or tails, could be described as having 1 Bit. Winning the lottery, which unfortunately is around a 1/286 million chance, can be said to be 28 Bits. As you can see, the harder an outcome is to guess, the more Bits involved: essentially Bits equal strength.

In modern computing, 128 Bits is the minimum strength for encryption algorithms.

How does this apply to password strength?

A password’s strength can be measured by its length multiplied by the entropy per symbol – the ‘randomness.’ For example, a number would have an entropy of about 3.322, so you would need 39 random numbers to achieve 128 Bit entropy.

Unless you happen to be Rain Man, you probably won’t be able to remember a sequence of 39 numbers, so adding a mixture of random symbols and letters can help towards shortening the password while also maintaining strong entropy. Of course, 128 Bits isn’t necessary for everything but should be the standard for sensitive types of information.

But again, to reiterate, these letters should also be random and not just be your favourite football team.

Password Advice for individuals

Here are some simple actions you can take to protect yourself and your data, and your business from hackers and improve your password hygiene in 2021:

  • ‘Randomness.’ As mentioned, the entropy of each symbol increases the strength of a password. The more random your password is, the harder it is to crack.
  • A mixture of characters. So, symbols, numbers, letters; and try not to do these in any orders.
  • A long password, in fact, the longer the better.
  • Don’t use common phrases or words, especially ones that are personal to you. That means no birthdays, no names, and no pets.
  • Keep passwords to yourself! No sharing passwords and try not to store passwords in plain text anywhere, especially not next to your computer.
  • Use a password manager, no one expects you to remember all of your passwords when they are that ‘complex’. Devices often now encourage you to use a complicated password generator, so you don’t have to come up with them yourself, but thankfully, there will be a place on your device which stores them securely for you to refer back to.

To summarise, a password should be long, random, use a mixture of symbols, and should not use any actual word or phrase, especially one that is important to you: and don’t forget, you should use a different password for everything!

Password Advice for Organisations

The best advice for organisations when considering network security, is to assume the threat is already inside. Embrace a zero-trust approach and ensure that, any user or device that wants to connect to a resource must re-establish trust before access is granted.

The approach will combat the increased threat from shifts in modern day working such as further cloud adoption, mobile application usage and remote working, all of which can be contributors to credential theft, feeding the rise in privilege access as an attack vector.

After all, 94% of you have experienced this attack according to Identity Defined Security Alliance (IDSA), 99% of these would have been highly preventable, with a more robust security posture in place.

So with that, let’s hope for a good 2021. Some of you may run that marathon and some of you might give up meat, but let’s all take it upon ourselves to improve our cyber-security and password hygiene.

 

Testimonials


“Net Consulting have been extremely flexible and willing to work within the demanding restraints necessary. They have also been able to successfully adapt the Riverbed and IBM solution to suit our specific requirements, such as the need for multiple security levels. The solution has been working well for around 2 years now and is a key capability for the MOD’s approach to service management"

Ministry of Defence

Read case study

“We needed to understand whether our applications could operate from a shared services datacentre. Net Consulting were able to give us the answers.”

Sheffield Hallam University

Read case study

"What Net Consulting provides us with is a baseline for where we are now. We can achieve our longer-term objectives with this robust foundation of information. It’s key to success, and that’s why we collaborate with companies like Net Consulting to build trust and deliver our outputs."

Ministry of Defence

Read case study

“The BlueArmour service allows us to see potential ingress paths an attacker can take into our network, as well as potential data egress paths. The service provides us with critical, prioritised information to quickly remediate issues."

Blake Morgan LLP

Read case study

“Unless you’re prepared to run a 24/7 security operation in-house, headed up by a team of seriously skilled people, you’re never going to match what BlueArmour ATD offers.”

Capital Law LLP

Read case study

“Net Consulting’s understanding of our requirement was evident through a superb bid and they showcased exactly the right approach. Clearly their Public Sector experience was transferable in terms of this engagement. Their cybersecurity expertise is very strong across the team, right from knowledgeable, technical and engaging leaders, through to their team of Floodlight SOC analysts. Net Consulting were under a very tight deadline, given the fact we needed to complete this piece of work within the financial year. They performed at a significant pace, were very reactive and agile, and never once let their high level of standards slip."

Digital Health and Care Wales

Read case study

Partners


palo-alto
ktsl
netscout-arbor
riverbed
Redseal
asmglobal
cgi
deep-secure
juniper-networks
bmc
Gigamon