Take everything from me, but not my password!

Security Awareness
8 May 2023
Toglietemi tutto ma non la mia password

To paraphrase a well-known advertisement, this could be the motto of all of us today, as we are forced to remember, according to NordPass researchers, an average number of 70–80 passwords, in order to have access to all the devices, applications, programs and data scattered all over the ether.

It’s a challenge that everyone faces by unleashing their creativity: there are those who write passwords on their phones, disguising them with false names; those who write them on post-its, then hide them and forget where; those who photograph them; those who write them down in a saved file with a name that they then promptly forget; those who use the date of birth of their child, their partner, or their best friend; those who use the same password for every site or application: and you could continue indefinitely.

One thing is certain: passwords are a precious element for everyone, a jewel 2.0, to be guarded jealously and very carefully. In fact, they allow us to have access to our data, which have now become primary assets, and, at the same time, prevent someone else, perhaps with malicious intent, from taking possession of them.

But they are also one of our worst nightmares. The theft or compromise of a password can in fact lead to various cybersecurity incidents with serious consequences, including ransomware infections, malware, and data theft. For companies, these are risks that are not to be sniffed at, which can entail the interruption of activities, as well as economic damage and damage to the company’s image.

It also seems that remote working has greatly exacerbated the problem. According to a recent 2022 study, 62% of employees share passwords via text message or email. The same research reports alarming statistics about password negligence, including the fact that 57% of respondents admitted to writing work-related online passwords on “sticky notes” and, among these, 67% said they had lost those notes.

Basically, passwords are no joke. With 50% of cyberattacks involving stolen login credentials, keeping passwords safe is a pillar of security policies.

For this reason, the first thing that is taught to all Internet users who, according to the latest estimates, amount to 5.16 billion people, or 64% of the global population, is to make conscious, and above all, safe use of this tool. This means, first and foremost, the generation of strong passwords.

A strong password must be unpredictable, consist of a mix of uppercase and lowercase letters, be more than ten characters long, and contain numbers and special characters. For example, xT34?hjKL56#. Of course, having to remember 70 passwords of this type would try the patience of even the most motivated user.
A valid alternative is therefore represented by the use of a complex password generator.

Major browsers have built-in generators that help those who avail of them to register and use one of three methods to generate a random password:

  • Pseudorandom number generator (PRNG): The computer uses an algorithm to generate the seed that forms the random password.
  • True Random Number Generator (TRNG): uses a physical source, such as radioactive isotope decay, to generate the seed.
  • Cryptographically secure pseudorandom number (CSPRNG): a type of PRNG that is suitable for the use of encryption.

To protect the resulting password generation, a robust password generator typically uses hash functions or block ciphers, which act to prevent a series of attacks that could make passwords unsafe.

Password generators typically store passwords ready for use when the user attempts to access a particular website. At that point, the generator will provide access to the password or it may pre-fill the password field on the login page. Therefore, password generators create strong and secure passwords and can also help manage them.

However, this solution is not totally free of risks because, although the password is difficult to decipher, it can still be phished or it can be hacked.

It is therefore important to keep an eye on your online actions while always maintaining a high level of security. Particularly within a company or organisation, employees should avoid sharing passwords, writing them down on pieces of paper, or leaving their computers or devices logged in when they are away from their desks. In short, they must be adequately trained on the hygiene of passwords and the importance of keeping them safe.

And, while it may seem like a trivial conclusion, nothing in the world of cyber security is trivial.
For this, it is necessary that as many people as possible receive the right training and ensure that in their weekly schedules, there is a time slot to learn and put into practice their theoretical knowledge. And we all know that no one would do this for an extended period without being included in a specific training programme.


Articoli correlati

Digital Operational Resilience Act (DORA)

Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025. It aims at strengthening the IT security of financial entities such as banks, insurance companies and investment firms and...

read more