Almost all cyber-security breaches are a result of human error – most often passwords are to blame.
But creating and managing secure passwords doesn’t have to be difficult. In fact, improving the way you and your colleagues use passwords is something that can be done right now.
And it’s important you do – passwords are put in place to restrict access to data that shouldn’t be accessible to the wider public. Working for ADRA, a password breach could not only have a negative impact on your work and finances, but in some cases have devastating ramifications for the people we are working to protect and serve.
Are you using VaultWarden? If not, get it now for free as part of the ADRA Source suite! Go to our Security page for more information.
What makes a password secure?
A secure password is difficult for someone to access or guess. In simple terms it should be:
- Long
- A mixture of upper and lower cases
- Contain numbers (1, 2, 3 etc); and,
- Contain special characters (@, $ etc)
How long is a long password? Here’s how quickly secure passwords can be broken:
- 7 characters – 0.29 milliseconds
- 8 characters – 5 seconds
- 9 characters – 5 days
- 10 characters – 4 months
- 11 characters – 10 years
- 12 characters – 200 years
In addition to being long and complex, secure passwords should be unique – that is the same password should not be used across multiple systems. This is especially true for your email, which is often used as a password reset/recovery and would expose all the systems you have an account with.
And, now you’re thinking – ‘Great, now I have to remember a complex 11-character password for every account I have.’
It may seem impossible, but with the right approach and tools it doesn’t have to be difficult.
How to create better passwords
- Use a standard phrase like “I like snowboarding” – then swap out some of the characters with special characters and capitalise a few (set positions like, 3rd and 5th). Now your password looks like “1l!K3Sn0wb0ard!ng” – that’s pretty complex!
To make it system specific, just add some relevant characters to the password – for example:
- Amazon – Amaz1l!K3Sn0wb0ard!ng
- Facebook – Face1l!K3Sn0wb0ard!ng
2. Use a password manager like VaultWarden. To save you having to remember multiple, complex passwords – and then dealing with systems that require you to change passwords at various intervals, a password manager means you’ll only have to remember one secure password.
VaultWarden is a highly secure password manager which has been installed on ADRA’s very secure environment (security.ADRA.cloud); so secure in fact that if you forget your password we have no way to help recover it.
VaultWarden will help you generate complex and random passwords, and automatically store them so you can recall them when needing to log into a web system or site.
VaultWarden can run on Windows, Mac, and Linux, and also has extensions for all popular web browsers including Chrome, Firefox and Safari. VaultWarden will also work on Android or Apple mobile phones.
The Do’s and Don’ts of Passwords
Do | Don’t |
Use a Password Manager | Share your password with others |
Use complex 11 character passwords | Reuse old passwords |
Different passwords per system | Let your web browser save/remember your password |
2 factor authentication (covered in more detail in another article) |
Help! My password has been compromised…
If you receive an email saying you have changed your password and it wasn’t you immediately start the process of changing every system that used that password. It’s likely the hackers will already be trying to access these other systems.
If the email says something like ‘Click here if it wasn’t you’ or ‘Check the Logs’ – DO NOT click the link. It is likely you will be asked for more personal details which hackers can use to access your data.
Instead, go directly to the system. For example, if you receive an email from Facebook saying ‘Click this link if you didn’t just reset your Facebook password’, open a web browser and go to Facebook rather than clicking on the link in the email.
When you have logged in to the system, look through your profile and account settings to ensure the hacker didn’t add another way to gain access to the system after you revert back to a different password – this could be adding a recovery email or phone number, or changing password questions and answers.