Password Security – Take action now!

You may have noticed some discussion in the news recently that several MPs have been sharing their login details with their staff as a matter of course. This brought a lot of criticism from security professionals and the ICO (Information Commissioner’s Office), who have now reminded MPs of their duties under the Data Protection Laws.
The existing data protection laws and the new GDPR states that you have a duty of care over any personal data held within your systems. This potentially opens up companies to fines if these duties are not treated seriously or breached without pre-emptive measures.
Username and password combinations are the primary methods used for authenticating users, allowing them access to data and mailboxes. We’re seeing increased amount of attacks on networks where criminals try guessing usernames and passwords, with the intention being to either steal data or more often install a virus to encrypt files and then blackmail companies.

The Basics

At a basic level you shouldn’t share your password with anyone, this includes members of staff and colleagues, a key part of our staff contracts is that breaking this could lead to potential disciplinary action. If you need staff to have access to your emails or documents it’s always better to setup permissions correctly rather than giving out your password, we can help with this.
We would also recommend that you pick a good password, one that is as complex as you can remember but more importantly of a sufficient length. We would recommend setting a password of at very least 8 characters, made up of two words, some numbers and the use of special characters ($,@,#, etc).
Click here to generate some examples of strong passwords as mentioned above.
Just as importantly, do not use the same password for your work account and other places. If someone manages to get hold of your Facebook password, you don’t want them to also have access to your work email. An example being a website that you frequent has a security breach leading to all registered email addresses and passwords being stolen, the criminals could then use the email address to look up the mailboxes of the users and try the same passwords across multiple platforms. They could for example use the compromised email and password to gain access to and do some online shopping.

Do

  • The use of both upper-case and lower-case letters.
  • Inclusion of one or more numerical digits.
  • Inclusion of special characters, such as @, #, $, etc.
  • Have a minimum recommended Length of 8.
  • Change your password regularly.

Do Not

  • Use words related to personal information.
  • Give your password out to anyone.
  • Use the same password across multiple platforms.
  • Keep passwords noted down physically or virtually.

Two Factor Authentication

Two-factor authentication, or 2FA as it’s commonly referred to as, adds an layer to your basic log-in. Without 2FA, you are able to simply enter your username and password to gain access to an account. A password being a form of single factor authentication. The second factor is in place to help make your account less prone to forced entry.
The three main types of multi-factor authentication:

  • Something that is unique that you will remember, such as a personal identification number (PIN), a pattern or a password.
  • Something you have on you, this will be a fob or phone that randomly generates an authentication code every 30 to 60 seconds.
  • You, a modern form of multi-factor authentication can be a facial recognition scanner,  a fingerprint scanner or a voice print system.