“Most of us have been using phones, computers and the internet for more than a decade, yet for many people the traditional text-based password still is the primary and the only way of securing their account,” noted Irmantas Bankauskas, Chief Sales Officer at Baltic Amadeus.
As he explained, choosing the right method of security for different situations first and foremost depends on the purpose of the profile or device, as well as on the type and sensitivity of the information stored therein. Therefore, he recommended focussing on your work phone and computer, as well as logins for your company’s internal systems.
Fingerprints cannot be changed
Personal and work phones or computers can be unlocked not only with a password or PIN code, but also with biometric data – fingerprints or face recognition. This option is faster and often more convenient. However, Bankauskas noted that carries some additional risks.
“If an ill-intentioned individual stole a person’s biometric data; for example, his/her fingerprint pattern, there could be life-long consequences because this unique biometric data cannot be changed. Unlike a password, a fingerprint cannot be replaced, which poses the risk that the identity of a compromised user could be used again in the future,” noted the Baltic Amadeus CSO.
On the other hand, biometric data works well when used in a multi-step verification process. For instance, you can configure your work phone to unlock only with your fingerprint or by entering a PIN code. Similarly, a banking app can be opened only after tapping the screen with your finger and entering a password, while money transfers may require an additional code generator or mobile signature.
Bankauskas recommends using a two-step verification process for online accounts every time it is possible to do so – including for personal social media profiles and e-mail. This is possible on Facebook, Instagram, Gmail, Yahoo and other large online services. When logging into the account from a new device, a special code is typically sent to the user via SMS, or the login must be confirmed in a mobile app. In other words, to access your account a hacker would not only have to know something known only to you (your password) but also to have a device that belongs to you (your phone).
Is emoji better than “$Yps3nA”?
Passwords traditionally contain Latin letters, numbers and other characters, but a few years ago a new innovative feature was introduced – passwords that use emojis. These can include various smilies and icons of animals, things or other objects. The US National Institute of Standards and Technology (NIST) has urged the developers of security systems to allow passwords with special characters such as emojis.
As the Baltic Amadeus expert noted, if it were possible to choose from even a limited number of different emojis (for example, 50 emojis), there would be more than 6 million possible variations of a 4-character PIN code. By comparison, there can be only 10,000 different PIN codes when they are generated from numbers only. Furthermore, research has shown that people remember emoji codes more easily than random numbers, while an unauthorised person is less likely to see what icon a person is typing rather than a number.
“The inclusion of even a single emoji significantly increases a password’s security, because hackers simply do not use emojis as possible password characters. On the other hand, most services do not support emojis – currently, only third-party apps and individual websites allow their use. To a great extent, this is a result of the fact that there is still no uniform standard for emojis approved on all platforms and for all devices,” said the Baltic Amadeus CSO.
A good password is not necessarily complicated
Thus, it seems typical passwords are here to stay, at least for the time being.
“The recommendations on how to create a secure password are constantly changing. For example, for some time, the prevailing advice was that a password should be as complicated as possible – a random jumble of letters, digits and symbols. But it became clear that, instead of remembering them, people would usually write these passwords down on a piece of paper stick them on the table or next to the computer screen. This is an even worse scenario than “Password123” – as the data could be accessed by anyone who came close to their computer,” said Bankauskas.
He added that even short passwords that look complicated (e.g. “H7%e*}”) or are made from a single word (e.g. “firework123”) can be easily hacked with the appropriate software and computer resources.
What does an ideal password look like?
Therefore, for now, the key rules for creating a good password are as follows:
- It must be as long as possible (containing at least 8 characters)
- Use uppercase and lowercase letters, numbers and symbols
- Avoid repetitive sequences in alphabetical order, or as they are laid out on the keyboard
- Avoid easy words and add spelling mistakes (hacker tools use dictionaries!)
- Do not use names of people, websites or companies
The Baltic Amadeus representative gave us the following advice: come up with a phrase that is easy for you to remember, and add some special characters to it. In this way, the phrase “Cold beet soup is my favourite dish in Lithuania” might become a great password “Co!dbeet$00p/myf@vdish#LT!”.
Use your creativity – and do not use an identical password for different accounts.