During the last week I had the opportunity to present a number of cyber security sessions for staff ahead of the start of the new academic year. This is part of a programme of awareness development. This year I have made a change in presenting the sessions as something related to our online activities in general, such as in our private lives, as opposed to something focussed on school systems and data. I think this is an important change in that good cyber practices in staff and in students protect them in everyday interactions online, whether they relate to school accounts and data, or not. One of the key discussion points in the session is that of passwords, which still remain the key method of confirming our identity when accessing online systems and data, whether these are the school MIS or personal email or social media accounts.
When we create our passwords for online services we are almost always presented by the need to include an uppercase character, number and a special character. One of the things I ask in my cyber sessions is for attendees to think about a password they use and whether it includes an uppercase character; Invariably, due to so called “password strength” requirements an uppercase character is included. I then, however, ask if this character happens to be the first character. Largely this is the case and unsurprisingly so given this is how we write with the capitals at the start of sentences. I then ask about numbers, and if they have included a number in their password. Again, invariably this is the case due to password strength requirements however, again I follow this up with a question in relation to whether this is the last character and again this stends to be true. The point I am trying to prove in my session is that as human beings we have a tendency towards being predictable.
From a cyber crime point of view the more predictable we are the easier we are to hack. If we use common passwords, if we use passwords linked to public information criminals can easily access and even if we use common patterns such as having the capital letter at the start and number at the end, all of this makes hacking all the easier. The more unpredictable or random our passwords are, the more secure we will be. This is why the NCSCs guidance on three random words works so well. It creates a password with randomness built in; the random part of three random words. Yet, the resultant password is still easy for us to memorise, being that we simply need to remember three words. The other key factor is it generally produces a password longer than we would normally create where a passwords strength, from the point of view of cracking a password leaked as part of a data breach, is directly linked to the length of the password. The longer a password is, assuming it is random and not predictable, the stronger it is. And this is one of the key points I make in my sessions, that the biggest indicator of password strength, again assuming the password isnt predictable, is its length.
I also note about the risks related to password re-use using the story of a staff member I knew who fell for a phishing email resulting in them disclosing their AppleID email and password. When they came to me the first suggestion I made was to use the recovery functionality which would result in an email to the email account linked to the AppleID. It was at this point that the staff member found they couldn’t access the personal email account they had used either. The criminals, upon getting the AppleID credentials, had tried the password with the email account and found it worked. They promptly then changed the passwords on the email account and AppleID thereby locking the staff member out. This story perfectly illustrates why we shouldn’t re-use passwords, or at least where we should avoid re-use of passwords with services which are important to us or where they might hold high value or sensitive data. It is at this point that I mention the use of Multi-Factor Authentication as a valuable tool for protecting accounts plus the use of password managers to help manage the increasing number of passwords we all now have.
Passwords continue to be key feature of our efforts to protect our online accounts, our data and our online digital footprint and profile. Appropriate care in relation to passwords is one of the key basics we all need to get right if we are to reduce the risk of cyber incident and/or minimise the damage when an incident happens. It isnt a fun, sexy or particularly technical method of protecting ourselves online, however it is something we all just need to consider and get right.
Technology and Learning