Blog written by Arcanum Penetration Testing team
Strong Passwords/Password Manager
Setting passwords is always tricky – you can set something easy to remember but weak or easily guessed like Password1! or something hard to guess, but hard to remember like A@297vBk=.
Then there’s the problem that each website has different password requirements. Some passwords might be accepted on one website but not accepted on another, meaning that your latest super secure password that you know by heart might not be usable.
Finally, there’s password reuse – because of all the different applications that require different passwords, its often more convenient to just use a handful of passwords for everything.
It’s easy to see why someone might cut corners when setting their password! It can be exhausting and tedious to come up with random passwords that you’ve never used before and be expected to remember them all without fail.
Weak or reused passwords mean that a bad actor won’t have to do much work in order to get into the account your password protects. If you’ve used the same password multiple times, every website that password is used is at risk! So if you’ve used the same password to protect your email, online banking, or Facebook accounts – you’re taking a pretty big risk!
Using a Password Manager is recommended – most allow you to make an account which can then be used on your computer and your phone, and will sync the passwords between them. It can also generate secure passwords which you can then copy and paste into (most) websites/apps.
Another perk of a password manager is that you’ll only need to remember a single password. However, since it protects ALL your passwords – it will need to be particularly secure since, if it is broken into, an attacker would have access to all your passwords and usernames.
Choosing a Strong Password
While some password managers may allow you to set the complexity of any passwords they generate (things like the minimum length or any special characters) you may be called on to set passwords yourself – Like the master password that lets you access your other passwords!
When choosing a password:
- A longer, easier to remember password is better than a shorter, more complex one
- Use three things you’ve seen today and join them together
- Add in some numbers and a symbol
The following should be AVOIDED when creating passwords:
- Your name
- Names of loved ones
- Pets names
- Where you were born
- Dates of significance (Your date of birth, anniversaries, love ones’ birthdays etc)
- Anything that’s a favourite of yours (Sports team, holiday location etc.)
- Anything obvious (e.g. “Password”) or the name of the application you’re trying to log into
With the above, a secure password might be 9SquirrelCoffeeNewspaper& which is 25 characters long and much easier to remember than AdZX25^v8 and less easy to guess than NewYork2022! even though all three are considered complex and would meet most complexity requirements.
The comic strip below shows the idea behind choosing longer passwords vs shorter complex showing how it’s easier to remember!
Source: https://xkcd.com/936/ – Shared under Creative Commons Attribution-Non-Commercial 2.5 License.
Another thing to remember – these passwords should inspire you when making your own, they shouldn’t actually be used (Since they’re not a secret!)
Multi-Factor Authentication (MFA)
When you log into something, you’re proving you are who you say you are by using one of the following:
- Something you have (Like a bank card)
- Something you know (A password or PIN)
- Something you are (Such as your fingerprints)
The idea is that only you should know or possess what you’re using to log in. To make this more secure, the concept of MFA is that you use more than one different method to verify yourself to make it considerably more difficult for a bad actor to log in to your account.
A good example is using an ATM – you need both the bank card (something you have) and the PIN number (something you know) together for it to be successful, it’s not enough to just have one of these.
MFA has become increasingly common in places, such as online banking – where your bank may text you a code or send you a notification on your phone asking you to confirm a transaction. Many websites now offer MFA in one form or another but very few make it a requirement.
Almost all MFA falls into one of 3 categories for day-to-day web browsing – a code sent via SMS to the mobile number associated with the account; entering a 6-digit code from an “authenticator” app that ties your phone to the account; or receiving a confirmation prompt on your phone if the website you’re logging in to has a mobile app.
Setting up an authenticator app
An Authenticator is a mobile application which generates a new 6-digit code every 60 seconds which you enter during your log in or sending a notification to your phone to approve the log in. A single app can hold multiple code generators for different websites (e.g., one for Facebook, another for Google, and so on) meaning you don’t need to have lots of additional apps on your phone to manage 2FA for each website.
Authentication apps like Google Authenticator, Authy, or Microsoft Authenticator are all available on the Apple App Store and the Google Play Store. Once you’ve made a choice and installed your preferred authenticator you can begin enabling MFA on various websites.
In most cases, you can enable MFA (Sometimes called 2FA) within your account settings or within any “Security” option. Authy contains a number of free guides showing how to enable 2FA for popular services – such as Google, Facebook, Microsoft and are available here: https://authy.com/guides/.
Setting up the 2FA in an authenticator requires scanning a QR code with your phone camera, and then entering the code it generates on your phone back into the website to confirm it. Once this is done, you’re good to go and 2FA has been set up on your account! If your camera is broken or your phone doesn’t have one, you can instead enter a code displayed on the website into the app instead of scanning a QR code.
Below shows the steps needed to enable MFA/2FA in Facebook:
- After logging in to Facebook, open settings by clicking the arrow icon in the top right-hand corner and then selecting “Settings”:
- On the next screen choose “Security and login” (1), then click the edit button next to “Use two-factor authentication” (2):
- Choose a 2FA method (This tutorial will show an Authentication app)
- Scan the QR code with your Authenticator app, or enter the code shown on your screen into the app, then click continue:
Once this is done, you will need to enter one of the generated codes from your device into the browser to confirm it. Congrats! You’ve successfully added MFA to your Facebook account and helped make yourself more #CyberSmart!