When Ciaran Bunting read about the recent Ticketmaster cybersecurity incident, he immediately changed his password on the site, even though it wasn’t clear if passwords had been exposed. “Thankfully, I was using a randomly generated password on there, but I can honestly say I didn’t always follow good password practices.
Pretty much everyone I know has a Ticketmaster account. Over the course of the next few days, I made sure to mention to family and friends to make sure they change their passwords and reminded them about good password practices,” reported Ciaran. According to the FIDO Alliance, passwords are the root cause of over 80% of data breaches.
Expertise in Secure Systems
As a software engineer for 24 years, Ciaran has developed expertise in creating secure systems, with secure development practices and continual learning on threats posed by malicious actors online.
“It is usually the large attacks or a hack involving a celebrity which will gain attention, but everyone will know someone who has been the victim of a hack or a scam which will compromise your accounts, credit card or bank account.”
Importance of Educating Others
Ciaran believes that those working in the tech industry should be helping to educate their family, friends, followers, and community on being safe online and following good security practices. Not everyone works in a company which enforces good practice for their systems, with the sudden necessity in 2020 to enable remote work for the first time for many, introducing workers to VPNs, hardware security keys, and multi-factor authentication.
Advocating for Password Managers
Ciaran stresses the importance of a password manager. “Tech companies don’t always enforce best practices on their users, but the landscape is improving. Smart phones come with a password manager built in, which actively scans leaked password dumps, some from the dark web, to notify users of compromised passwords or accounts. They can also highlight passwords that are weak or are easily brute forced by an attacker or passwords that are being used across multiple accounts.”
Strong Random Passwords
As Ciaran points out, using a password manager, either in-built to a phone or an app such as LastPass, Bitwarden, or 1Password to name a few, which generate and enforce strong random passwords. Apple recently announced their own password manager which will be a dedicated app, instead of being hidden away in the settings.
Securing Email Access
Using a password manager is only the first step in good security practice. “Your email is critical for your security online, as it’s so often used to receive a one-time password as a second security factor for many websites or used to validate creating an account. So, your email access must be secured with multi-factor authentication, ideally using an authentication app on your phone which generates a one-time password which is only valid for 30-60 seconds.”
The Role of Multi-Factor Authentication
Securing your email account is vital and using multi-factor authentication is essential to achieving this. Once an attacker can access your email, this could give them the ability to reset your password on other accounts, giving them access to more of your personal information. Many password reset functionalities involve sending an email.
“Remember to set a backup email access and mobile phone number for your email, in case you get locked out. And of course, that backup email should also be well protected!”
Using Authenticator Apps
Google and Microsoft both provide free authenticator apps which can be configured easily to provide a one-time short-lived code that provides a second factor of authentication. Many banks and other services will provide this code as a text message also. That code should never be shared with anyone. Banks and services will never ask for that number over the phone or in a message, email, SMS, or otherwise.
Benefits of Password Managers
“Your password manager is your personal assistant for securing your passwords. Let it generate strong random passwords and remember them for you. Then, you will never have to use the same password for multiple accounts just so you can remember it yourself.”
Checking for Exposed Passwords
Ciaran also points out how you can find out if your password has been exposed in a hack. “Password managers should warn you if a password has been exposed in a previous hack, where the data has been made available either publicly or on the dark web. They visit the dark web, so you don’t have to. Change any password that has been exposed or a password identified as regularly in use.”
Additional Tools for Password Safety
Other methods are available to find out if a password has been exposed. “The website Have I Been Pwned, which is maintained by security researchers, can be used to search for exposed accounts. Pwned is internet slang for owned, where account details have been exposed in a hack.” 51% of passwords are re-used according to the FIDO Alliance.
Best Practices for New Accounts
When signing up for an account with a service, be vigilant about how the website is handling passwords and authentication. “HTTPS is almost ubiquitous now, so be wary of any site not using it. If the browser warns you about any sort of certificate error with the site, don’t go any further. Be wary of any site which allows setting weak or short passwords, as the owner isn’t thinking enough about the security of their users. If they provide multi-factor authentication, it is advisable to use it and it shows they are giving their users best practice security options.”
Utilising Single Sign-On Services
Many sites allow registering and logging in with an existing account with Google, Microsoft, or Apple. “This takes extra effort on the behalf of the site to integrate with such ‘Sign in with’ services but this limits the number of accounts and passwords you are creating, and these services also provide multi-factor authentication. So, that extra effort provides a lot of security best practices.” Users have more than 90 online accounts, according to the FIDO Alliance. It is also advisable to delete older unused accounts.
Future of Passwords: Passkeys
Potentially, passwords could be a thing of the past in a few years.
Passkeys are a new way to sign into apps and websites, which are being supported by Google, Apple, and Microsoft working together in the FIDO Alliance. Passkeys promise to be more secure than username and password combinations. “To the user, creating a passkey on your phone is incredibly simple, as the cryptographic technology behind it is not easily understandable by the average user. Your phone biometrics will provide an extra layer of security to your passkey access.”
—Content by Ciaran Bunting—