Computer security is a very important topic, especially when you process sensitive information within your company. We all heard stories such as the LinkedIn leak. In 2016, we learned that over 164 million passwords were exposed back in 2012. The breach was discovered only 4 years after they were actually hacked, when it went on sale on the dark web. This makes you think about your own computer security measures. Here is how you can secure access to any online tool you need it for.
Strong passwords: what are common rules to set them?
The most known computer security tip to secure access to a network (your intranet, a platform your customers might use and so on), is to do so with a username and a password. You probably have set basic rules for password creation for your company, such as: the password must be at least 8 characters long and include uppercase, lowercase and special characters. If you have done this, you are on the good way. Yet, you might want to continue reading to understand the flaws of this type of passwords and how to improve their strength.
Longer passwords are better for computer security
Did you know that length is more important than complexity for passwords? Long passwords are more difficult to hack than complex passwords. Why? Let’s see this with two of the most common attacks on passwords: brute force attacks and dictionary attacks.
When doing a brute force attack, the hacker will simply test passwords randomly with a tool that they created to test as many possibilities as possible. A longer password means that the tool needs to try out way more possibilities before finding the one you have chosen. It’s simple math.
The dictionary attack consists of testing all commonly used passwords, hoping that one will match your username. Longer passwords are less commonly used and the risk that they might be in one of the dictionaries is much lower and should therefore be used to improve computer security, in a company or for your personal usage.
Are you worried you will not be able to remember a longer password? Let’s see if that is correct. Which of the following passwords would be easier for you to remember: “1AmY0urVeryL0ngPassw0rdThatY0uCanEas1lyRemember” or “4y*MQw”? You probably will say the first one, of course.
There is an easy trick to remember longer passwords: choose a sentence that you will complexify based on set rules. In this example, we replaced redundant letters: all the letters “I” are replaced by a 1 and all the letters ‘O’ are replaced by a 0 (zero). That way, you will never forget your password anymore and your password will be strong!
Use unique passwords and change them on a frequent basis
Most users tend to use the same password on multiple websites to remember them more easily. This means that some of your co-workers probably use their professional passwords for their personal social media accounts, their e-mail inbox and so on. So, if the password is leaked from another website with less computer security than yours, the hacker that finds it will have access to the entire user’s online identity. This is an open door to log into other sites the user has an account on, including yours. To avoid the leaking of passwords, you should make users change them at least once every 3 months. If the access the password provides contains very sensitive information, this should be even more frequently.
Do you remember the LinkedIn story we discussed in the beginning of the article? If you change your password on a regular basis, it prevents the hackers from having access to all your data after the password has been changed. This also means that you should set restrictions for re-using the same passwords within your company, otherwise the user might re-use a previously hacked password, giving the hacker access again.
But, even with a very strong password that is changed on a regular basis, a hacker might find out a password and have temporary access to your data. So, how do you implement computer security rules that protect your sensitive data?
One-time password & multi-factor authentication for extra computer security
If you process sensitive data, adding an extra computer security layer might be something for you. The idea is to validate a user’s identity without going through the internet. This allows you to make sure the user is who he says he is. Since everyone has a smartphone today, the mobile network is the easiest to use for computer security.
One-time password (OTP) for better computer security
As its name explains, a one-time password is a password that can be used only once to log into a system. They are either generated by a device that the user owns or are sent by SMS to the user when he tries to log in. The user then enters the received password on the website. This quick and efficient system allows you to make sure the user is who he says he is.
As you may imagine, hackers could also try to enter into the one-time password system and try to figure out the next passwords that will be used. Therefore, it is important to apply several security measures when generating the passwords. First of all, the one-time password needs to be generated randomly. This will avoid hackers guessing the next password that will be generated by the system based on logic.
Also, as the passwords will be used only once, it is important to limit their validity in time. That way, the password cannot be used after its validity has expired if it has been hacked.
Finally, do not store the one-time passwords anywhere: the password server can also be hacked, making the extra security layer useless.
RingRing provides a full one-time password solution to its customers. The one-time password is sent directly to the user, without being sent to the company itself. That way, if the company’s authentication server is compromised, the passwords will not be, since they are not stored on the same servers. This reduces the risk of someone external having access to your data tremendously.
Multi-factor authentication for the best possible security
Improving computer security by using the mobile network is a good way of avoiding issues during authentication. But, what if the phone of a user gets physically stolen? The data could still be compromised. So, to avoid this situation, the best solution is to implement multi-factor authentication.
Multi-factor authentication is based on a multiple verification of the user’s identity. The basic rule is to verify something that only the user knows and something that he owns. So, you could implement rules to have every user having a strong password such as explained before and combine that with a one-time password. That way, you verify something the user knows (his personal password) and something that he owns (his smartphone).
To be able to access the data, the hacker needs to have access to the physical advice of the user AND know his password. This becomes almost impossible to do and the hacker will most probably move to a less secured website.
Subscribe to our newsletter and receive our articles in your inbox!