Never Choose Your Passwords
Passwords: they’re an outdated concept and inherently insecure.
In 2016, there’s very little reason to choose a password. Whilst sometimes it can’t be avoided (and for that, there’s Multi Factor Authentication: ‘MFA’ or ‘2FA’), we’ve been banging on for years about the benefits of Password Safes, Password Managers and Password Vaults.
Even then, your randomly generated, unique password should be combined with MFA wherever possible, to ensure that it’s not much use, if compromised on its own.
Who cares about Passwords?
You shouldn’t know, or care, what the vast majority of your passwords are. Why should you need to remember a password? With a password manager you can copy and paste it securely; never type it, never even see it; you can do this from your Smartphone, PC, Mac, browser. You know it’s unique, can’t be used elsewhere if the service is compromised and, even without MFA, it’ll be secure enough for most purposes (it’s more likely that social engineering will circumvent them anyway).
Passwords are Dead — here’s what you should do:
- Choose a good Password Manager — Lastpass Premium, Lastpass Enterprise, Dashlane Business, maybe Keypass if you prefer Open Source and don’t trust ‘Cloud’.
- Let your Password Manager generate high entropy, random passwords (and even change them for you automatically)
- Ensure your passwords are Unique and not repeated anywhere (eg use the Lastpass Security Challenge to check)
- Enable Multi factor Authentication (MFA / 2FA) on your Lastpass and other services, wherever possible (eg using the Google Authenticator app)
- Educate your users about Phishing, Vishing and staying vigilant. Whether 1980 or 2016: Social Engineering is usually the key to hacking, and always will be.
- Review your Security Layers. Security’s like an onion: multiple layers, layer upon layer. Each layer protects the next, the critical detail’s at the centre (or hidden elsewhere).
- Never be complacent. If you think you’re safe, that’s when you’re no longer safe enough.
- Mitigate Potential Damage. Think ahead: accept that, if someone really wants to get in, they will. Therefore, try to mitigate what happens via Forensic Readiness Planning.
Security ≠ Convenience
Whilst Security doesn’t equal Convenience, if someone can throw enough resource at it, they’ll hack you. That’s when your BCP and insurance needs to be good. But don’t worry too much: take a step back and wonder why someone would want to hack you.
Security Through Obscurity
Just like opportunist theft, fraud’s more likely to happen to easy targets, unless you have something which they want... that’s what a Risk Assessment’s for. GCHQ’s more likely to be targeted than Good Convenience store’s Head Quarters — and your response should be proportionate to the risk.