Managing identification, and more specifically passwords, is a key lever in cybersecurity.
This is part of cybersecurity best practices: if you have a good password policy in place, it is more difficult to attack and compromise your accounts, whether they are professional or personal.
At a time when the most used password is still 123456, this article aims to improve your cybersecurity hygiene and the quality of your passwords.
These tips are applicable both in your professional environment and in your personal environment.
We will define what a good password is and give you the keys and tools to simplify your life while improving your security.
Let's start by defining what a good password is.
Definition of a good password
I have always been amazed at the number of people who have fundamentally bad and weak passwords - meaning they are easy to guess or force - but are convinced otherwise.
This video from an American show is the perfect illustration:
So, what is a good password?
A good password meets several criteria:
- It has strong entropy (see next point)
- It is random and not "guessable"
- It is unique: it is only used once
Entropy: the strength of a password
Entropy determines the strength of a password. It measures how difficult it is to guess or "crack" a password by enumerating possibilities.
In this illustration, we understand that the longer the password, the harder it is to guess by enumeration.
So opt for long passwords as a priority.
You can increase entropy by using uppercase letters, numbers, and special characters.
An important point here is the selection of words: they must be random.
Choosing a random password
A motivated hacker always conducts preliminary research - during a phase called OSINT - before and during an attack.
This phase allows them to collect useful data when planning the attack scenario and can also be used to create attack dictionaries to enumerate possible passwords.
Maiden name of your mother, name of your dog, dates of birth, all these elements that can be recovered from various open sources on the Internet can be used to create lists of passwords to try.
This often allows attackers to find your password by enumeration, by creating password dictionaries based on variations of this collected data. Each password is "tried" in these "dictionary" attacks.
Hence the importance of the second characteristic of a good password: it must use random elements.
If your password has strong entropy and is composed of random elements, there is still one danger to be aware of: password reuse.
Only use your password once
We live in a hyper-connected world, and every website and platform asks us to create an account with an email and password.
Having a different password for each account is very complicated and requires a memory worthy of the Guinness World Records.
In the next section, I will present tools to address this problem, but today, the solution chosen by the majority of internet users is to reuse their passwords.
After all, you have taken the time to create a good password with strong entropy and random elements, why do the work multiple times?
The problem no longer lies with you, but with the sites where you use your password.
If these sites are compromised and store your passwords in a weakly secure manner, attackers can retrieve your email and password by hacking these sites.
If you reuse these credentials on other platforms, the attacker can then gain access to your other accounts since you are using the same password each time.
You need a unique password for each platform.
Don't worry, you don't have to memorize them all. There are tools that will greatly simplify your life.
The right tools for your password strategy
In this section, I will talk about two tools that will help you strengthen your password strategy: a password manager and multi-factor authentication.
Password manager or digital safe
The concept is simple: it is a tool that securely and centrally stores all your passwords - as well as other information for most of them.
With this tool, you only need to remember one strong password to access all your accounts.
Most of them have a password generator that can assign strong and completely random passwords to your accounts.
So yes, if someone gets your master password, they can access all your passwords. However, this is already the case with the password for your email address: once that is obtained, the attacker can change all your passwords using password recovery or reset procedures.
Furthermore, imagine that you have the choice of living either in a house with broken windows and doors - easily attackable passwords that you memorize - or in a fortress made of solid and impenetrable bricks - randomly generated passwords from the manager - with a very resistant gateway, since you only need to remember one strong password. Which residence would you prefer to live in?
The password manager is a formidable tool for strengthening your password policy.
There are many password managers. Among the most well-known are:
- Bitwarden
- KeePassXC
- LastPass
- 1Password
With a special mention for the first two, which are free and open-source.
Another sovereign option you can implement, which not only allows you to manage your passwords but also enables secure file transfers, is LockSelf.
These tools often have browser plugins that allow for automatic filling of the login credentials on login pages.
Be careful not to use the built-in features of your browser: their storage system is much less secure and your passwords can be retrieved.
Multi-factor authentication (MFA)
Multi-factor authentication adds an additional layer of security in addition to the password.
When multi-factor is used, you must have at least two identification factors among:
- what you know
- what you have
- what you are
- and sometimes... where you are located
A simple identification requires proving that you have knowledge of the identifier and the associated password during login. This factor belongs to the "what you know" category.
By adding verification through an application like Google Authenticator, we add the "what you have" factor, as you must also have your smartphone in addition to knowing your password to log in.
However, be careful, this system is not invulnerable, and there are bypass techniques as we have shown in our article on how to bypass MFA with a simple phishing email.
One particularly effective form of MFA is the use of U2F keys (Universal 2nd Factor). Due to its algorithm, U2F is more difficult to bypass.
Activate multi-factor authentication whenever possible, especially on your password manager.
General usage rules
Now that we have the right tools and knowledge for a robust password policy, there are two usage rules that will help you avoid hacking your accounts.
Security questions and password recovery procedures
You have probably all lost a password at some point and have encountered these security questions that allow you to set a new password.
Questions like the name of your elementary school or the first name of your best friend.
The problem with these questions is that the answers can usually be found with a simple search engine or through social engineering techniques.
This is how iCloud accounts of celebrities were hacked. It is not very difficult to find the name of a celebrity's pet, as this information is easily accessible on various dedicated websites.
Now that you have installed a proper password manager, you should no longer need these password recovery features. In any case, do not use them conventionally: they are a major security flaw.
Use the random password generation function to generate your answer. Write down everything - question and answer - in a secure note, and you won't have to worry about a cybercriminal using these recovery procedures without your knowledge.
Check the pages you log in to
This is a habit you need to acquire. Every time you are faced with a form asking for sensitive information: login, password, credit card, etc., check the URL of the page you are on.
Credential harvesting, or the retrieval of credentials, is a well-known and widespread attack that involves impersonating login pages to trick you into logging in - with a convincing pretext most of the time - and retrieving your access.
No matter how strong your password is, if you give it to the attacker through these attacks, it will not protect you for very long.
So adopt a critical mindset and the habit of checking the address of the page where you are asked for sensitive information.
Conclusion
By adopting these techniques and tools, you will have a much better password policy than the average person.
Adopting these habits, both in the professional world and for personal use, allows you to significantly increase your level of cybersecurity.
Passwords are now the basis of identification, and you can no longer afford not to stack the odds in your favor by adopting good password management.