Password Security – Take action now!
You may have noticed some discussion in the news recently that several MPs have been sharing their login details with their staff as a matter of course. This brought a lot of criticism from security professionals and the ICO (Information Commissioner’s Office), who have now reminded MPs of their duties under the Data Protection Laws. The existing data protection laws and the new GDPR states that you have a duty of care over any personal data held within your systems. This potentially opens up companies to fines if these duties are not treated seriously or breached without pre-emptive measures.
Username and password combinations are the primary methods used for authenticating users, allowing them access to data and mailboxes. We’re seeing increased amount of attacks on networks where criminals try guessing usernames and passwords, with the intention being to either steal data or more often install a virus to encrypt files and then blackmail companies.
At a basic level, you shouldn’t share your password with anyone, this includes members of staff and colleagues. A crucial part of our staff contracts is that breaking this could lead to potential disciplinary action. If you need a team to access your emails or documents, it’s always better to set up permissions correctly rather than giving out your password; we can help.
We recommend that you pick a good password that is as complex as you can remember but, more importantly, of sufficient length. We recommend setting a password of at least eight characters comprising two words, some numbers and special symbols ($,@,#, etc.).
Click here to generate some examples of strong passwords, as mentioned above. Use a different password for your work account and other places. If someone manages to get hold of your Facebook password, you don’t want them to have access to your work email. An example is a website that you frequent has a security breach leading to all registered email addresses and passwords being stolen; the criminals could then use the email address to look up the users’ mailboxes and try the same passwords across multiple platforms. They could for example use the compromised email and password to gain access to and do some online shopping.
- The use of both upper-case and lower-case letters.
- Inclusion of one or more numerical digits.
- Inclusion of special characters, such as @, #, $, etc.
- Have a minimum recommended Length of 8.
- Change your password regularly.
- Use words related to personal information.
- Give your password out to anyone.
- Use the same password across multiple platforms.
- Keep passwords noted down physically or virtually.
Two Factor Authentication
Two-factor authentication, or 2FA, adds a layer to your primary login. Without 2FA, you can enter your username and password to gain access to an account. A password is a form of single-factor authentication. The second factor is in place to help make your account less prone to forced entry. The three main types of multi-factor authentication:
- Something unique that you will remember, such as a personal identification number (PIN), a pattern or a password.
- Something you have on you: This will be a fob or phone that randomly generates an authentication code every 30 to 60 seconds.
- You, a modern form of multi-factor authentication can be a facial recognition scanner, a fingerprint scanner or a voice print system.