English (US) English (US)
English (UK) English (UK)
French (France) Français (France)
Chinese (Simplified) 简体中文
Chinese (Traditional) 繁体中文

PASSWORD MANAGEMENT: how to protect yourself better without headaches

Password management is one of the biggest pain-point in IT management because it is one of the primary features that can represent the biggest vulnerabilities of your digital life/work, let's have an overview...

What are the main concerns?

The combination of an ID (i.e. an email address) together with a password grant access to a person to a certain system (i.e. ERP, Facebook, ...). Nowadays, it exist many Cyber solutions to protect this well sensitive topic, however in this private/work cross-over life, company protecting themselves only isn't enough anymore. For example, an HR could use her own private password to access both her Facebook account and professional website recruitment which is obviously a big fail since professional email address are very easy to guess...

The main problem is the difficulty to remember all password and ID for different systems combined with the wrong education we give to people on how to setup "strong" passwords...

Unique ID/Password system, the wrong "good idea"

Some companies adapted a unique ID/Password system which means that, in exchange for stricter security policies, you will only have one ID and one password to remember to connect every where.

First issue, no matter how strong are the policies of your company they will not be enforced for your private accounts therefore it will not change the vulnerability I described about the private/work cross-over.

Second issue is pretty easy to guess, if I can crack your password, I will have unlimited access to all your accounts...

From my personal experience I've noticed plenty of companies who tried such account management then come back to a more normal yet flexible and separate password management.

How to manage my IDs?

An ID/account/user is not so different than a password in the fact that if you can't find my ID, even you have the correct password, you will not be able to connect to my account... There is a wrong idea that an account identification can be shared publicly (like email address) because in any cases it's not so difficult to find. You should start think of your ID as a password too.

I also suggest you to have, 3 or more different account. One for professional use, a second for private use and a third for sensitive/dangerous activities.

The 2-first are pretty obvious towards their use so let me talk about the third one. This account will be used for sensitive activities like a new website you don't really know and raise concerns about (like an unknown e-commerce platform) or even for some newsletter or online survey...

Don't worry, if later you noticed this is a safe website/system, you will probably (most of the time) be capable to change your email address.

Three or more different ID will prevent you to be totally vulnerable in case of a breach, specifically if you get good habits to use the "sensitive account ID".

How can hackers can crack a password?

This is the most difficult part, how to manage password... Everyone knows that 123456 isn't a safe password, still plenty of people use it (as well as password, admin, azerty, qwerty, ...) It exist, mostly, 2 kind of password attacks, brute force and Key-words.

BRUTE FORCE

A brute force attack is an automatic script that will try all possible solutions like aaa, aab, aac, ..., baa, bab, bac, ... zaa, zab, ... and so on. There is, like this, plenty of possibilities, however it is not the work of a human but a machine so it goes very VERY fast to crack a 8-digits password. Using upper-case, lower-case, number and special characters, is indeed, giving more difficulties to crack-it, however it isn't enough.

KEY-WORD ATTACK

The key-word attack is similar to brute force but will try all the word existing in a dictionary as well as specific word (i.e. the most well-known unsecured password, the city you were born, your child name/nickname, ...). Such attacks are very efficient for people who choose password too easy to remember or related to their private life.

Then how to manage my passwords?

To strengthen the security of your password there is only 2 ways, long password & unique password for each account. I know, it's difficult to remember all of them, so let me give you a hint... Break down you password into three parts.

  1. First part would remind you the location of your account

  2. Second part is your core and same password

  3. Third part, is a non-logical and personal part

Your password for Windows: Windows-Ilovepasta-Ver.3 The first part is related to the account i'm trying to access Second part is my general and always same core password Third part is a non-logical part which I decided to link to the number of time I changed my password with all security requirements (upper case, number, special characters.

My password for Facebook: Facebook-Ilovepasta-N3verchange As you can see, it is not so difficult to remember but very hard to guess and to crack (31 characters!)

MY CONCLUSION

So let's remember that you should have at least 3 account (work, private, sensitive) which will guarantee that your private life does not affect your work life and vice-versa. For the password reminder you can of course switch the order of my three breakdown (core password, version, location, etc...) you can customize the length (Fac for Facebook, Win for Windows, etc...) and/ or use special characters every where.

-> Three accounts, always different passwords for each account! Now you are much safer ;)

Original post: PASSWORD MANAGEMENT: how to protect yourself better without headaches

备案号:沪ICP备19003830号-4
PSB Logo 沪公网安备 31010502005140号