Secure your employees personal accounts

I have been delivering some security architecture work and programme security to a client on a sensitive programme.

Recently I was chatting to some members of the team and realised that some of them might appreciate some help with securing their personal digital lives.

As this was a potential attack vector into the programme I saw it as a way of helping me by helping them. This was all given as advice for their personal life and none of it was mandatory. It was given with the health warning that it was not to encourage the team to use home computers for business (which was against policy for obvious reasons).

The key messages are: Don’t reuse passwords and use strong passwords.

A good place to go if you want to hack someone’s e-mails is HaveIBeenPwned Troy Hunt runs this service by gathering all the data breaches ever released and making them searchable for users to check. Here you can see if your email and password has been released as part of a data breach and for free Troy will monitor your email address and tell you if it is ever breached. An attacker will find the breach, download it, and find your email address and try the password. They will also try minor variations of the password because they know some people just change a digit or two. They can also add the name of the service.

But I have so many accounts to remember

I recommend the use of a password manager for all your passwords. This way you can use a different password for every service. There are three real options here.

  1. A notebook works but is the most time consuming.

  2. If you are an Apple user for everything the IOS Key chain is good. Google Chrome is less platform specific (ie you can have on a Windows computer at home and on your phone). This makes life easier than carrying around a notebook which you could lose. Chrome and Keychain are a bit fiddly to get the password if it cannot automatically put it in for you.

  3. The easiest method you have to pay for and that is a Password Manager such as 1Password. Other Password managers are available, some are better than others. 1Password syncs across all your devices so you can access all your passwords and enter them easily without too much hassle. 1Password has also integrated with haveibeenpwned to tell you if any of your passwords appeared online.

How do I make a secure password to secure my password manager?

Passwords that are less than 11 characters can be discovered by an attacker checking every possible combination on a fast computer in a reasonable amount of time. A weak password can be discovered in seconds especially if it is a word or close to a word. The longer or more unusual your password is the harder it is to crack. The best way to make a strong password is to use a sequence of three random words that you can remember. You can add special characters to make it even stronger. Edward Snowden, who had reason to develop strong passwords, recommended “Thatcher is 110% sexy” as a password that you will never forget and no one will crack.