Why you should use unique passwords, they can help identify a data breach.

In our newsletter we have an article about the proposed Digital ID, the Brit Card, which is meant to be implemented some time in 2029. 

The fundamental flaw with the Brit Card is that it will be a single repository for all the data the government will store about individuals in the country, but the biggest flaw will be that it won't be one source of data, it will be multiple threads, pulled together, with all of the inherent flaws and risks.  Couple this with the government not exactly being a shining example of how to implement robust and functional IT systems, (it is why there is not a single NHS IT platform, but instead multiple, disjointed platforms that do not interoperate very well yet) and you start to get the picture.  Then throw the Post Office Horizon IT project into the mix, that was flawed from the outset and even though they knew it was flawed, they chose to run with it rather than try to fix it and you get an understanding of how this could be a problem in the making.  

Brit Card will initially only be about the right to work but it is no secret that the longer-term plan is to include all government gateway, medical information, all financial information, tying in your banking and spending, travel information, internet usage, in fact, pretty much everything about your life, all in one place.  This creates a centralised gold mine of information about every individual in the country, and it will be a hacker’s paradise.

Putting all your eggs in one basket is never the best plan, whilst it is very convenient, if you drop the basket, you lose all the eggs, if it is a standard basket.  This is why it is so important to understand that convenience of using a simple basket to carry all the eggs around should never trump security of being able to split them up into more secure containment.

And people already do this, for example, think of a bunch of keys.  There are different keys on the bunch, one or two for the house, same for the office, the car, the locker at the gym, the back gate, the bike padlock, the safe key, all different, all unique keys for different and unique locks.

It would be really convenient to have a single key for every lock you use in your life, only needing to carry around that one key to unlock everything you access or operate, but if you lose that key, or worse, if someone were to copy it without you knowing, whoever has the key, ends up with full access to every single lock you use, granting them the same access to everything as the owner of the key.  And if they got a copy of the key without you knowing, they have full access to everything you use without your knowledge, so you won't get the locks changed leaving them with full access.

This is why we have bunches of keys, not a single key.  A bunch is harder to duplicate, a bunch is harder to work out which key opens which lock, it is a means of diverse security reducing risk, even with all the keys in one place.

This also translates into passwords and PINs.  Security dictates that we should all have unique passwords and PINs for everything we access, but, and I am being generous here by calling it this, convenience (code for apathy or more brutally being lazy) typically means people use only one or two logins and passwords and more than likely the same PIN on all cards and phone alike.

Now is the time to start using unique passwords, if you don’t already, for every site and login that you use. The same goes with PINs, make sure you have unique PINs for everything. 

Each password should be complex and unique, but a tip is to also include an identifier for the site it is used in so that if the site, business, or organisation gets hacked, and your information is leaked, the compromised information will expose which site leaked the information.  A lot of the time, a data breach goes unnoticed by the organisation, often for a significant amount of time, in many cases months before the leak is identified. 

If your details do end up exposed, at least you would know which site it was that leaked the data.  It also means only one site is compromised, and you would not need to change the password on EVERY site it was used on as it is unique to the one site.

The one difficulty with this approach is to try to remember every password and login used across all sites you access, which is where a password vault becomes the best use option, with multi factor authentication enabled. A password vault is a single, secure, encrypted repository for all your passwords.  Yes, it is putting all your eggs in one basket, but it is a secure basket with multiple layers of protection.  It is protected by some or all the following:

• Master username and strong password or passphrase
• Multifactor Authentication – regularly changing code
• Biometric layer
• Encrypted database
• Zero-Knowledge Architecture - data is encrypted on the local device using the master password or passphrase, and the decrypted data never leaves the device
• Secure data transmission – the data is encrypted not just when stored but also during transmission between your device and the server, protecting it from interception

A password vault is protected by you at setup as you get to choose the encryption keys used meaning that no one else should be able to access the data, couple this with the layers of security means that someone would need to know multiple points of data (some changing every 30 seconds) making it nigh on impossible to crack the vault.

Password vaults can also be used in a business environment with compartmentalised vaults inside the vault.  Some can be shared with other colleagues, meaning there is a shared, secure password repository for staff to access, securing company passwords.

If you would like more information about a password vault for either personal or business use, call us on 01722 411 999 to discuss all of the options available that would best suit you requirements.