Passphrases, not passwords

We use passwords all the time, but they are a weak link in our cybersecurity.

Strong passwords are essential, but passwords are confusing, hard to remember, and difficult to type. 

Instead of passwords, consider using passphrases that are easy to remember, and simple to type.

Attackers can break into your accounts if your passwords are weak or easy to guess. Therefore, we create complex passwords. However, these can be hard to remember, confusing, and difficult to type. Instead, use passphrases with a series of random unrelated words. The more characters your passphrase has, the stronger it is. The advantage is passphrases are much easier to remember and type – but still hard for cyber attackers to break. 

For example this sample passphrase: fencE*soccer4:15*happy*bell

Remember this picture in your mind.

Passphrases are strong. Not only are they long, but they use capital letters and symbols. A passphrase is also easy to remember and type. You don’t need to wrote them down and store them insecurely – like is, unfortunately, too often done with passwords.

Use a different passphrase for every account or device you have.

If you have too many passphrases to remember, consider using a password manager which is a application that securely stores all your passphrases for you. The only passphrases you need to remember are the ones to your computer or device and the password manager.

Do not share a passphrase, or your strategy for creating them, with anyone else.

You may want to write down your key personal passphrases amd store them in a secure location, and share that location only with a highly trusted family member

Be careful of websites that require you to answer personal questions. These questions are used if you forget your passphrase and need to reset it. The answers to these questions can often be found on the Internet. Some password managers allow you to securely store this additional information.

Many online accounts offer something called two-factor authentication, also known as 2FA or two-step verification. 2FA means that you need more than just your passphrase to log in, such as a passcode sent by text to your smartphone. Text messages, however, are not secure and attackers can also remotely take over your phone number. A much better 2FA is a specific hardware key that is inserted into your computer or device. 2FA is more secure than just a passphrase by itself. Whenever possible, always enable it.

Social Engineering Cyberattacks

Cyber attackers have learned that often the easiest way to steal your information

or infect your computer is simply to trick you into making a mistake. It’s just psychology and manipulation – but cyber people call it by the fancy term “social engineering”.

Social engineering attackers are the same as age-old con artists. However, cyber attackers can be more effective since you can’t see them and they can be coming from anywhere in the world. They can easily pretend to be anyone – and target millions of people at the same time. 

Many of us have received a phone call from someone claiming to be from “computer support”. The caller says that your computer is infected and they will “help” you solve the problem. They ask for remote access to your computer or for you to download software to “fix” the problem – to fix when they really want to steal your information and use yourcomputer to attack other computers.

Another example is an email attack called “CEO Fraud”. The attackers do their research in advance. The attacker then sends an email to you pretending to be from the CEO of your company. The email urgently asks you to take an action, such making a wire transfer.

Common clues of social engineering are:

• A huge sense of urgency.
• Asking for information they should not have access to – or should already know.
• Asking for your password.
• Pressure to bypass normal security procedures.
• Something too good to be true – like winning the lottery.
• An odd email from a colleague – verify by contacting your colleague in person or over the phone.

If you suspect someone is trying to fool you, do not communicate with the person anymore. If work related, report it immediately.