As today is "Change Your Password Day", we took time to sit down with our CTO, Sven Ropers, to gain insights into why this day is so important. With his expert knowledge in domain systems, we thought Sven would be the perfect person to talk to about password security.
If you're anything like me, you don't pay too much attention to your passwords, and how secure they are (or aren't). Read my Q&A with Sven to learn why it's important for the average person to have a strong password, what constitutes a strong password, tips, and tricks for setting and managing passwords, and much more. I know I'll be taking some time to update my passwords!
What are your thoughts on "Change Your Password Day"?
I love the concept of "Change Your Password Day"!
I find that security is only ever discussed when there is an incident or an issue, however, in order to be proactive, it's important to address your security before it becomes an issue. Similar to backup solutions, I find that most people realize they should have done something when it's already too late.
Can you explain to us the importance of this day?
I believe that "Change Your Password Day" should be a reminder for anyone who uses online accounts or services, as well as offline credentials (a desktop computer or a laptop) to take some time and reflect on their security. This day should not be limited to simply changing your password, it should also be a time to reflect on additional security measures or potential risks to unauthorized access, and the potential damage this would cause.
If there's a concrete risk that your logins or passwords were exposed to third parties, such as a lost paper with credentials, or accidentally pasting your password to a website, it's imperative that you immediately change your password.
It's also the perfect day to evaluate your passwords and reconsider any weak passwords you currently use.
Why is it important for the average person to have a strong password?
A strong password provides protection.
With the current technology, a potential attacker is able to try out thousands of different passwords within a second! In order to gain a certain level of security, you need to raise the bar and make it more difficult for an attacker to guess your password by trial and error.
Another reason to choose a strong password is due to the risk of the computer systems of your service provider being compromised. Almost every week we hear news about how usernames and passwords are stolen. Usually, passwords are encrypted using a one-way encryption algorithm which hides the real password from the attacker. However, experience has taught these attackers how to easily reconstruct the weaker passwords.
What is considered a weak password?
There are many passwords that can be considered weak. Below are some examples:
- Short passwords can be considered weak as it's possible for an attacker to simply try all possible combinations.
- Any password that is commonly used by individuals is a weak password. In this list of top 10 German passwords (which can be applied worldwide), we find that some of the most popular passwords are simple ones like "123456" or "11111".
- Transliterations, such as passw0rd are also commonly used, and therefore are considered weak.
- All words that can be found in a dictionary.
Can you give us some tips on choosing a strong and secure password?
Definitely! Some of my tips are listed below:
- Passwords should be long, ideally 15 characters or more.
- They should not be commonly used and should not be found in a dictionary.
- Even though it's convenient, you should not use the same password for different services. You can use a password manager to store and protect your different passwords, but be aware that this will be your Achilles' heel since such applications are a special target for hackers. If the application has any weaknesses, it can be used to gain access to all of your passwords.
- You should add at least one extra security factor, such as 2-factor authentication or IP address restriction.
- If you become aware that your password was revealed or one of your accounts was compromised, you should change your password immediately.
What additional security measures do you recommend?
Especially if you require your password to protect something of value (for example, your domain names), you should ensure that at least a second factor is being used as an additional measure.
When you enable 2-factor authentication, whenever you access your account, an additional one-time password (token) is required. It will typically be created by an application on your cell phone. This way, even if your login name and password is known to an attacker, a login will not be possible because they don't have access to the token.
If you access a system in an automated fashion (for example, via an API from a dedicated server), you should use dedicated credentials and limit the access to a certain set of IP addresses. Access to your account is only granted if the request is being sent from one of your pre-determined IP addresses.
Your online privacy is important to us! For this reason, HEXONET offers both 2-factor authentication and IP address restriction.
What do you think is the best way to keep your passwords safe?
The best way to keep your passwords safe is to memorize them. Here are some tips to make your life a little easier:
- Use passphrases instead of passwords. Choose to use a whole sentence! Make sure you choose something funny or out of the box, and don't lean on a phrase that is very common.
- Use two words and merge them together by alternating each character. For example, "International Carshow" would be "ICnatresrhnoawtliaon".
What should be taken into consideration for a password of a domain registrar?
One password protects access to your whole portfolio of domains. While some customers manage only one, or a few domains, other manage thousands! If an attacker gets their hands on the password to a user account, the whole portfolio is at risk. Domains can be switched off, ownership of domains can be changed, and domains can be transferred away!
The account user needs to ensure their password is strong, secure and protected. Take time to look into your current password. Is it strong? Make sure you take advantage of additional security measures and switch on 2-factor authentication and IP address restriction.
What other security tips do you have for the public?
"Change Your Password Day" is a great opportunity to take the time and reflect on your security. Reconsider existing security measures, and consider additional ones you can take.
These considerations should not be limited to one day a year. Keep your eyes and ears open for security-related news. What are your personal worst case scenarios? Use these as a push to put effort into keeping your passwords safe and secure.
Last, but not least, don't hesitate to ask if you have further questions or concerns about security. We're here to help!