October 2022 / 5 Min Read

Use These Critical Steps to Help Survive the Password Game

Code breaking has been practiced since Roman times and the science is still flourishing. Stolen or compromised credentials are responsible for 19 percent of cyber breaches.¹

Log-in credentials matter. As does the management of those credentials. Regardless of role, people are generally the first line of defense in cyber security and individuals are in charge when it comes to passwords. You work to adhere to the password rating system, and then there is the suggestion to change passwords every 90 days. An ardous task for many.

Enter pass phrases. A pass phrase, or a small group of words standing together, is far easier to remember and brings noteworthy security benefits. Length exponentially increases the effort it takes to crack a code. Calculate possible combinations for this phrase, “King Arthur Court was a court but it is no more.” That’s 3737 – a bigger challenge for hackers than a shorter password. When creating a pass phrase, length and unpredictability are key, as is rarity. Don’t use a favorite song or a favorite Hemingway quote. Pick something esoteric.

Along with a move to pass phrases, ensure you have different credentials across websites. If a hacker breaks into your Google account and reverses that password, it can potentially be used to log into many additional accounts that share that password Think: How many websites have your credentials stored? Take the case when you bought a random gift from a shopping site. You never went back to this site but the company failed to store your password as a cryptographic hash. Now your password is out and so it begins, the criminal art of credential stuffing² or the automated injection of stolen username and password pairs into login forms to gain access to accounts.

To #BeCyberSmart:

Use pass phrases. Get a password manager.

A password manager will help you remember your log-in credentials while maintaining security. For sensitive accounts, e.g., banking, create a pass phrase. Allow the password manager to create randomly generated passwords for other accounts and do not change your credentials unless you are alerted to a breach.

Enable MFA.

Multi-factor authentication is a must. If it’s offered, utilize it and realize that not all MFA is equal. A text message to a phone is not as secure as a code generator. A security key is recommended for authenticating log-in to your password manager or bank. And while biometrics are convenient, you wear your biometric “code” in the open, every day. It is infinitely hackable and cannot be changed like a password.

Secure account recovery settings.

Look at your account recovery options across key accounts. When answering security questions, use a random pass phrase. For example, if your high school mascot is a recovery question do not enter “Bulldogs.” This information is easily accessible.

Making smarter decisions can help keep our interconnected world more secure.

¹Cost of a Data Breach Report 2022 | IBM

² Credential stuffing | OWASP Foundation

More Like This

Featured Topics
Cyber Resilience

Article
Cyber Security Comes Down to You

Article
Cyber Crime is Still Focused on The Art of Hacking Humans

Article
Zero Trust Adoption. Think Big, Start Small, Move Fast

Authors

David Glenn Baylon
Cyber Security Consultant

Darren Rackliff
Managing Director EMEA, Cyber Security

Yair Silbermintz
Back-End Lead Developer

← Previous Article
Targeting the Family in Pursuit of High-Net-Worth Individuals

Next Article →
Zero Trust Adoption. Think Big, Start Small, Move Fast

Keep Exploring

Cyber Resilience

As part of Cyber Security Awareness Month, we’re exploring all of the ways organizations can build a sustainable approach to cyber resilience. For more helpful tips and insights, visit our Cyber Resilience hub.

Learn More

Disclaimer
The information contained herein and the statements expressed are of a general nature, not intended to address the circumstances of any particular individual or entity and provided for informational purposes only. The information does not replace the advice of legal counsel or a cyber insurance professional and should not be relied upon for any such purpose. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.

General Disclaimer
The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Terms of Use
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.