Why you need to take password security seriously
Recently we reported on ‘COMB,’ the combination-of-all-breaches hack that exposed over 3.2 billion account details. Many secure passwords and email addresses were posted on a hacker forum for others to use in this breach. Affected providers include Gmail, Hotmail, Yahoo, LinkedIn, and other big names.
If you asked Namecheap, we’d tell you we think it’s good practice to get into the habit of changing passwords every one to three months. Why? Username, email, and password credentials are suffering quite a few major breaches of late. Last year, the Solar Winds attack—involving 200 major government organizations—was described as ‘classic espionage done in a highly sophisticated way”.
Now maybe you and your life are not the targets of state-sponsored espionage, but if your business, clients, or personal accounts are hacked, you can certainly experience harm. As has occurred with COMB and Solar Winds, details posted on hacker forums exposing many accounts cause a kind of shark-feeding frenzy as other threat actors mop up the spoils.
And their agendas are different. Hacker groups have various goals in mind. They might hack out of desperation for financial gain, want information on your business or your clients, or do it purely for the thrill of the skill, but one thing is for sure, personal account hacks are on the rise.
For all of us, it’s frightening when hackers find ways around password systems and expose weaknesses. If you discover any accounts or client accounts are part of a breach, you must immediately change these passwords. You can also try to future-proof your password security—a crucial frontline defense for any business—and get ahead of the hackers.
Here’s what you can do to improve your passwords and reduce your chances of getting hacked.
Change it up
To change passwords regularly, let’s review a few easy ways to keep control of all your personal and business accounts.
But first, let’s try this. Think about where you store all the details. Find the device — or a notepad if you’re ‘old school’ — and gather all of your passwords, emails, and username combinations, even for those long-forgotten client websites that you used a while ago.
What’s in front of you now? You’d be typically looking at more than 200 passwords and thinking it’s going to take soooooo long to change them all.
But don’t worry, help is at hand.
Apply Password 101
The sheer number of passwords you need to remember makes a good password manager a sensible first step and a top recommendation when chatting with your clients.
There are various password managers on the market. Still, it’s worth a check to see if a password manager is included free with another service, such as the following anti-virus companies:
The benefits password managers offer include remembering your passwords and usually a tie-in to breach services to notify you if your credentials have appeared in a known hack. Also included are password generators which suggest strong, secure passwords. If you or anyone wants a stand-alone product (so you aren’t tied into another subscription service), some paid-for password managers to explore include:
Don’t save in a browser
Sage advice recommends not saving any passwords into a browser. Browsers tend not to encrypt password information, leaving passwords vulnerable to clear text hacks. They also don’t care to remind you to change passwords regularly. While it is true that browser operators do identify vulnerabilities quickly and apply security patches if you don’t regularly update your browser, this can pose security issues.
Now browser privacy and password security are two different things. But it’s worth saying; there’s no harm in reducing the amount of data stored about you on the web a hacker could find. You or your clients might try out more privacy-orientated browsers such as Tor Browser, DuckDuckGo, or Brave, and for even more browser privacy, invest in a quality VPN service, and Namecheap’s VPN is worth a look.
To safeguard you and your clients from hacks, here’s our essential password security advice:
- Install a password manager
- Store passwords into the password manager when prompted
- Deactivate browser password saving
- Change passwords every one to three months
Next? No if’s, no buts
Recommend to clients they use two-factor authentication (2FA). Most of us feel confident our passwords are secure but adding 2FA is another way to thwart hackers using stolen credentials. 2FA is best thought of as adding something you know (the password) to something you have (another device) and keeps accounts more secure because a second step is always required.
If 2FA is offered by a website or password manager you subscribe to, it’s wise to take it up.
For example, Namecheap offers some of the most advanced 2FA methods on the market: U2F (Universal 2nd Factor) service, TOTP (Time-based One-Time Password), and OneTouch — push notifications to your phone and also SMS notifications via a code inside a message to your phone.
For shopping and banking websites, a good tip is to install an authenticator app such as Authy, or Duo, which will generate a code you can use in addition to your password.
If you are looking to protect company systems for employee security, the Yubico YubiKey is an exciting innovation. Like a USB stick, this physical security key is given to employees, who plug them into each device with the user’s fingerprint identification.
Deal with old websites
We’re all using email accounts and passwords for personal reasons, and in business, it’s a good idea to look back at old accounts where you might still be linked. Go through those 200 or so passwords discussed earlier. Do you want to keep archived client website logins? Or more personal links such as the password you used to buy a gift for a relative two years ago? How about the fashion site you worshipped in the noughties? Are older web accounts putting you at risk?
If you’ve re-used a password many times, you could be exposed to credential stuffing. A hacker will try to re-use these older usernames and password combinations across as many sites as possible, ‘stuffing’ them, in the hope of getting into one of your accounts with banking or e-commerce capabilities.
- Close any accounts you no longer need.
- Or, request a password change and install strong, unique passwords.
- Save any passwords you want to keep into your password manager.
- Enable 2FA authentication if offered.
It’s worth mentioning not every website will offer 2FA, so changing your passwords is still the number one way to boost your protection against hackers.
How to DIY passwords
Here’s how to create strong passwords for each online account:
- Passwords should be unique to each service.
- Passwords should be strong and complex. Some say uncommon or unlinked phrases that don’t relate to your actual life can work well if you need to remember a password. For inspiration, read How secure is my password?
- Passphrases can help you make a memorable password. The quirkier the phrase, the better. Special characters can help strengthen the password—replacing ‘e’ with the number ‘6’ or ‘S’ with ‘$,’ for example. A phrase like ‘Why my cat sofa surfs’ can easily become ‘Wh/_my_c&t$0f&$urf$’.
- Memorable phrases like home tasks, how to cook, a line from a song or film, your favorite plants — anything that makes for easy recall (but is unique) work well.
Want to focus on password security? Read Namecheap’s expert help on creating strong passwords.
Hide your list
You may use a notepad to list your passwords. This is fine. Just make sure you keep this safe from prying eyes and take into account the following:
- Avoid using the same password for multiple accounts.
- Make sure no one can access it in the house by keeping it out of sight.
The last one is especially relevant if someone manages to break into your house or if you do have people in your home from time to time (such as a contractor working on some DIY jobs).
Monitor if you’ve been hacked
Keep your eye on breaches. This handy checker on the Have i been pwned? website tells you if an email address is compromised. If you discover any are at risk, the advice is to change those passwords immediately. This is a great site to share with your clients, too.
It’s important to deploy vigilance where emails and passwords are concerned. We often use an email address as a primary account to verify or log in to other accounts. When someone gains access to a primary email, they can request password resets in this account and other linked accounts.
If you get a reset request from a client’s primary account on file, you will send it, right? So it’s important to remind clients about password security and monitoring suspicious password requests in their primary email accounts.
Explain to them that in the worst-case scenario, credential stuffing leads to account lockouts. It can be tough and sometimes impossible to reclaim those accounts, depending on how you’ve set these up. Vigilance is key.
After updating password security, you or your clients might find it interesting to learn how people manage to grant access to their accounts legitimately if there’s ever a need. Last year, we had a popular blog discussing what happens to your accounts when you die. A key takeaway was the importance of password security and making plans for this if, for some reason, loved ones need access to your accounts.
Social engineering risks
There’s increasing sophistication in social engineering approaches from hackers. You might receive a text message with malware links, a telephone call to elicit password information, or be contacted in your workplace to trick you into taking a compromising action that affects your company or clients — to name a few.
Some excellent Namecheap blogs worth reading about social engineering include:
- The shadowy disguises of social engineering
- 5 ways to protect websites from social engineering
- The threat of social engineering via social media
Mind the scams
It is also a good idea to refresh memories on all the types of scams that can breach anyone’s password and email address defenses. In general, to mitigate the chances of being hacked:
- Practice good local security. Scan PCs/Macs regularly for malware. This malware often sits quietly in the background, waiting to capture a website login and the credentials used, sending them back to the hacker’s home base.
- Make it harder for hackers to obtain username/password combinations. Ensure everyone checks the websites they visit are encrypted by SSL connections with https:// in the search window.
- A VPN can keep your connection safer. If you or your clients are partial to a Starbucks and use an unsecured, open wifi hotspot, ideally, use a VPN to tighten up security further.
- Two-factor authentication stops bad guys in their tracks. Take advantage of 2FA options to protect all of your online accounts. And don’t forget to apply Namecheap’s free 2FA to protect your account with us. All passwords we store are encrypted, using the highest security encryption methods.
Make sure you keep up with password security
It’s crucial to change your passwords often and to pass on a gentle reminder to your clients to do so too. This article you’ve just read is a timely reminder of the risks any of us could experience due to major cybersecurity breaches.
As a trusted domain registrar, Namecheap runs many firewalls and intrusion detection systems to protect our customers. We constantly review our defense mechanisms. You can also read our expert help on creating strong passwords for great advice on securing your online world. Namecheap customers can also follow this simple guide to changing your Namecheap password. We recommend you do this every few months.
We hope this article has helped you to find the right balance for you and your clients — between enjoying easy, convenient access to your online life and keeping your password security as tight as you can make it.
I trust Namecheap in domain related stuff but I was horrified at how this article does not even mention Bitwarden, easily the best password manager! It’s open source, end-to-end encrypted, third party audited, includes a strong password generator and is cross platform.
It has both free and paid plans.
Please update this article to include Bitwarden.
When I saw the title, I was going to share this post with my friends…
Thanks for sharing your password manager of choice.