The keys to the Kingdom.


They’re everywhere.  It seems you nearly need one to go to the bathroom these days.  Unfortunately though, they’re Essential.  No, essential isn’t strong enough.  They’re absolutely CRITICAL!

As you undoubtedly already know, these pesky passwords are quite literally the keys to the kingdom. You work with them, you bank with them, you store your online documents with them, you reveal your personal life on social media with them, you shop with them.  In short you secure your whole digital world with them.

However we still deal daily with people who don’t seem to get what would happen if someone were to obtain their keys to their kingdom. Particularly their email or social media accounts.   If you re-use passwords at multiple locations (and we know none of you ever would 😉 ), it is trivial for someone to access passwords from a breach at one of those sites, and use a technique known as Credential Stuffing to compromise your other accounts.  Once they have access to them, it all starts to unravel very quickly.

And let’s assume for the moment, that you truly don’t have anything important in your email or online documents (extremely unlikely, but I hear this argument all the time…). The issue is that other people trust you.  When you send an email to anyone you know, they assume that they can trust its contents. However, if your account has been compromised, all bets are off.  But your recipients may not know this.  We see this happen A LOT!!!

For the sake of brevity, please believe me when I say that ALL your online and computer passwords are critical.  When they fall into the wrong hands, bad stuff follows.  Incidentally, if you want to know if your passwords are already compromised (pretty good chance they are) head on over to Troy Hunt’s excellent HaveIbeenPwned (no that is not a typo) site to test your email and passwords. IMO it is safe to test your usernames and passwords at Troy’s site.

And please remember, what we are trying to do here is to minimise the effects of an attack.  Attacks against your passwords will continue to happen all the time.  They’re happening right now as you read this.  Your job is to do everything reasonable to minimise the effect of those attacks.  Below is a good starting point.

So here’s what to do…

If you follow this advice, your digital world will be a lot more secure than it probably is now.

  1. Never reuse the same username/password combination on more than one site.
    1. So that means every site needs a different username/password combination.  Every Single One!  This is the most important thing to do.
  2. Obviously this means you can’t remember them all.  So don’t!  Use a password manager.  We use, LastPass, but 1Password and Dashlane are also excellent.  At the very worst, write them in a book. LastPass has a free option that is pretty good if you just want it for home.
  3. A good password is hard to remember.  More than 16 characters with a combination of characters, cases, numbers, and symbols. (So use a password Manager!)
  4. If you must remember the password (very frequent use etc) use a few disparate words strung together. (e.g. “Ferrari desired-moolah,mi55ing” and please don’t use this one).  Just something that you’ll remember, but would be hard to determine from knowing something about you.
  5. Use 2FA/MFA anywhere you can.  (Two Factor Authentication or Multi Factor Authentication.  This is something you know (like a password) and something you have or are (like Biometrics or an Authenticator App, or txt message).  It’s not infallible, but it is way better than not having it.
  6. Don’t share your password with anyone.
  7. You also need to run a minimum of an Anti-Malware (or better still some EDR software like Cisco AMP for end points.) on any computers or Android devices.
    1. If you’re using Windows 10 Defender is free and comes bundled with it.
    2. If you’re using a MAC consider MalwareBytes or ClamAV
    3. If using Andriod (reconsider your life choices 😉 ) and try any one of the 100s of name brands available. Androids are very prone to Malware unfortunately.
    4. At this point I haven’t seen an Apple iOS product I’d recommend.  Not to say it doesn’t need one.  I just haven’t found it yet.

And there you have it.  Simple! Well maybe not simple, but free and achievable.  And please persist with the password manager.  They’re a pain for the first month, while you load them up with all your info.  Then you’ll wonder how you survived without one.

If you manage an email mail exchanger, check out our baseline guidance article for Securing Mail Exchange Systems.

Safe Travels!

Ross Marston.

Business Intelligence Security