It’s the New Year so let’s make things a little easier for us all this year and take some time out to talk a little about Usernames and Passwords…
How many people know your email address or your mobile phone number?
If you use your email address or your mobile phone number as a username to log into software or any other applications then all those people already know half of your credentials!
Just think about it, you use your email address or mobile phone number to log onto PayPal (used as an example in the extreme only and the same could be said for any other similar organisations), one of our Clients told us that there personal email account was not that important therefore the password for that account didn’t need to be as secure as we were telling them.
We ran the following scenario to them:-
Someone manages to access your personal email account and changes your password, by doing so they then block your own access to your own email account.
They then try log onto PayPal (using your email address) and use the ‘forgotten password’ link, in doing so they get a new password by email to the email account you no longer have access to and they do… They then have access to your PayPal account using the new password send to your email account and thereafter empty your bank account, all done in less than 10 minutes… Whilst you were sleeping…
Our Client went almost white and ran off to make a few changes…
Indeed this example has been taking to its extreme and it could be argued that PayPal also ask for other security information before resetting a password, like – Your Mothers Maiden Name, how many times have you used that? Indeed it gets frightening but please take the advice, if you do use your email address or mobile phone number as a Username for anything then an awful lot of people already know half of your log on credentials so make sure that your email account has a very secure password, your mobile phone network operator has a very secure password required to authorise changes to your mobile phone account and that the password used with your email address/mobile phone number as a username to access the software application itself is also extremely secure.
With regard to your mobile phone network password a recent well publicised article detailed an unfortunate situation where a user had used his mobile phone number for two factor authentication (via text message) to access his online email account. A hacker had his mobile phone number diverted to another number via the network operator and hey presto the text including the important two factor authentication digits were received on the diverted number and the users account was hacked.
Therefore if you use generally well-known information (your email address or mobile phone number) as a username to access any software or applications be very careful that the associated log in password and the password to access the content sent to the well-known information is very secure.
We always go on and on about passwords to our Clients, they are the weakest point you will have in any software installation, quite unbelievably we have seen people with administrator rights on both corporate networks and different website software packages using passwords like ‘Password1’ or ‘Letmein’ or even standard software passwords of ‘admin’! Whilst we do as much to help after the event it is very frustrating to see when all the efforts are made to make a network or piece of software as secure as possible and the weakest point, the password is not secure! Enough said…
Therefore always use a very secure password for your database(s) , for all users that you afford access to your software and for applications you use yourself. Always use a password that’s random and one that cannot be guessed, we suggest a minimum of 20 different characters. To generate a random password we suggest using the Strong Password Generator website. Click on the ‘Show Options’ make the length of the requested password 20 and tick the options currently available of include punctuation, avoid punctuation used in programming and avoid similar characters – Generate the password and save it somewhere very secure.
Finally, never, ever use the same password across different databases, logins and applications!
There are many secure password storage places, search on Google for ‘Password Vault’, do plenty of research before you decide which one to use as moving to another in the future will take up a lot of your time. We do strongly suggest using one of these many options available as these will save your passwords and if you upgrade to a paid version will make these available to you on your hand held devices and other PC’s that you use. Of course only choose one that is secure itself as well, once you have made your choice search the web for feedback on the platform you propose to use before you start using it and tell it all your usernames and passwords!
One of our favourite ones available at present is ‘Last Pass’ which you can read more about on their website here.
The last pass offering includes the ability to generate secure passwords for you, it will also afford to you a security report of your passwords being used and furthermore, using the paid version, you can almost automatically change passwords at many sites on a regular basis.
Two Step Authentication
If this is available to you from the software installation always use it, however, remember if you lose your phone then you could have serious issues, there is nearly always another way to get into the software but it won’t be easy and that’s by design!
We recommend using the Google Authenticator App, search for it on Google, it’s generally easy to set up and is becoming supported more and more by many software developers and across many different platforms.
Yes we agree it might be a pain to enter a very random username and thereafter a very long secure and random password (see saving passwords above as this solves that issue almost), you therefore only ever then need to get out our hand held device and enter the 6 digit authenticator code generated by it and you are into the software.
Just think of the heartache and pain if you had not secured the site and there was a lot of work post hacking to be done or even worse someone has emptied your bank account while you were sleeping! So heed the advice, use very strong passwords and, if it is available to you, back this up with Two Factor Authentication.
We hope you have found this small article of interest.