Even with the gradual increase in cybersecurity literacy amongst the masses, there are still some myths that people follow religiously, even Cybersecurity professionals. I will set out to bust some of those myths here. Many of the myths have come from companies advertising products as a “silver bullet” solution, some of the myths are because the world has changed and the advice is no longer valid. Cybersecurity myths can be spread by well-meaning people, but you need to consider them with a “pinch of salt”.

In this series of posts about cybersecurity myths, I reveal some common areas of belief, and what you need to do.

I need to change my passwords every 60 days, and have complex mixtures of characters.

This one is still pushed by Cybersecurity professionals around the world. It may be contentious for me to keep saying this, but you don’t increase security by changing passwords. In a report by Microsoft, they have pointed out that the problem with changing passwords is the imagination of a human. If we are constantly prompted for a new password, we end up just incrementing the number at the end of the password, or creating a new one that is more simple or predictable. Putting people on the spot to suddenly create a new password will result in human failings.

In the 1960s, if a password list was stolen, it would take around 35 days to de-code the password, so the passwords were changed every 30 days. However, now passwords are not Hashed, they are encrypted, so it changes the playing field. With Encryption, you are either 0% or 100% un-encrypted.

READ ARTICLE:   Recovering an SSL private key from a certificate

Requiring a complex mix of uppercase, numbers and special characters does increase the password complexity, but not as much as password length. If you have an eight character limit to passwords, then special characters will help. If you have a memorable passphrase that is something like 25 characters, maybe with a capital and number in there too, then no password cracker is going to be able to break it in a reasonable time. However, a 10 character password that is a random jumble of special characters, numbers and characters is going to be hard to type, hard to remember, and easy to get wrong. This means you need to recover your account or change your password – which is actually a risky move.

Instead, you should ensure that all your passwords are long, and unique (if one gets stolen, the attacker cannot use them on your other services), or at the very minimum you should have categories for your passwords to ensure that your work passwords and banking passwords and social media are all different from each other.

Related posts:

Herding cats? Use catfood

Think before you scan a QR code

Bring Your Own Device policy risks

How useful are your backups?

Share this knowledge
         

Leave a Reply

Your email address will not be published. Required fields are marked *