usatoday24
Passwords have become an essential part of everyone’s digital life. In combination with other verification methods, They are the entrance door to almost all the digital services we use. We need them to make online banking efforts, but also to log in to email accounts, social networks, streaming platforms or online stores.
Like house keys, passwords must be well protected to avoid dislikes. But sometimes it is not enough to save them well: there are times when they should change them or reinforce security with additional methods. The question is when. In Xataka we have asked three cybersecurity experts to clear doubts and know what decisions we should make.
The problem of security gaps
Francisco ValenciaCEO of the Computer Security Company Secure & Itopened the conversation with a blunt phrase: “The user has to think that passwords Sooner or later they will expose themselves” What the expert tells us is relevant, because we usually navigate this increasingly digital and interconnected world without being completely aware of the threats that surround us.
Valencia explains that the exposure of our passwords, or what is the same, that they have been committed or revealed, can occur in two ways: that they rob us directly or subtract them from the services where we have registered them. When we register in some online service, this should protect our authentication data, however, as the specialist points out, it is often not so.
To illustrate it, the interviewee remembers Yahoo’s case. In 2013, with Marissa Mayer in front, the company starred in a colossal security failure, considered by many as one of the largest in history, which exposed the data of 500 million accounts. The platform “It seemed reasonably safebut the passwords were stolen and informed the users years later, ”he says.
“The user has to think that the passwords sooner or later will be exposed.”
Alejandro BotterCyber Security Evangelist of Check Pointreveals that “it is increasingly common for a data gap to present.” The expert indicates that these types of scenarios where there is some type of data exfiltration can occur in any field, from a hotel to a bank, although the latter should, in theory, have more robust security measures.
While the leaks of our passwords by those who are trusted are a reality, Botter warns that the most traditional security threats, those in which we deliver our passwords involuntarily, are still very present. “We might access a site that was not correct And let’s leave our password, or that the device will be infected, ”he explains.
It also emphasizes that awareness is essential to understand that cybercounts not only pursue important objectives, but any white can be. “Many people say: ‘Where will my email be? I don’t think it’s my turn. ‘” In this regard, he mentions that tools such as “Have I Been Pwned? “The reality of information leaks account very palpably.
Asked about whether we should trust the page created more than a decade ago by the Australian security consultant Troy huntBotter highlights the positive aspect of the platform, but says that “there is debate about it”, and that we do only email We are providing information that “it is achieved in different ways on the Internet and that is not so complex to achieve.”
What are we wrong with our passwords?
Adrián Arrow, cybersecurity technician INCIBE- Certhe tells us that “for years, passwords have been the main method of access to our accounts, but also represent one of the greatest security risks.” The specialist of this Spanish Institute adds that “the reality is that most users reuse keys, choose weak combinations or fall into phishing attacks.”
Valencia supports this perspective with a practical example: “When we make an audit and, for example, we find a password of a person’s tennis club, it turns out that looking for password password We see it in another pile of sites because that same user has put the password on all sides. And that makes criticism even greater. ”
The CEO of Secure & It emphasizes that one of the most critical problems of password reuse is that, generally, they end up leaking by the weakest link. Since the user has used the same set of characters in other services, many times together with the same email address, he ends up exposing all his accounts in a way that would not have occurred in case of using different passwords.
“The reality is that most users reuse keys, choose weak combinations or fall into phishing attacks.”
“Passwords cannot be the same in all sites. People many times have two passwords, the easy and difficult, and It turns out that it puts the difficult at the bank And something else and the easy thing in everything else. The password cannot be the same, it has to always be different, it has to be random, it has to be difficult to remember, etc. ” This, he explains, will force us to use a password management tool
The interviewee adds some quite useful examples: “Knowing the exhibition, if they steal a password, they will exclusively attack the service where I put it. The Facebook password steals me, it will only affect Facebook, but not anything else. Until now the gravity is that if the Facebook password is stolen, it turns out that it is also for my bank and therefore the exhibition is much worse. ”
Users usually ask if using a password manager is a good idea. Arrow, from Incibe, explains that “password managers are one of the safer and practical tools PARA store and manage our access credentials ”, and highlights some of its advantages. It lists that they not only serve to store passwords, but are also useful for generating them.
“While no technology is infallible, a well -designed manager offers much more security than scoring paper passwords or trying to remember them all. Currently, there is no manual alternative that is so safe and practical. There are cloud and local versions (without connection), but in any case it is essential to strengthen your safety with good practices, ”says arrow on this matter.
“While no technology is infallible, a well -designed manager offers much more security than scoring paper passwords.”
For the specialist, the key is to use a robust master password, activate the double authentication factor, make sure the password manager uses a strong encryption and do encrypted copies to avoid the total loss of credentials. “Password managers not only make life easier, but help better protect our accounts in an increasingly complex digital environment,” he says.
How to improve the security of our accounts?
The three experts agree that activating two steps verification (2FA) is essential. “The double authentication factor is relevant because the fact that the passwords becomes a part, but not the only part to access an account,” Botter explains. “It is not 100% safe, but then it gives us a quite higher level of security,” says Valencia on 2FA solutions.
Arrow mentions that the use of Passkeys It is a good resource to improve accounts security: “Unlike traditional passwords, these keys They cannot be stolen through phishing attacks No mass leaks. In addition, they complement each other methods, such as biometric authentication (fingerprint or facial recognition) or physical devices, such as Yubikeys. ”
So when is it time to change passwords?
Many times we wonder if it is time to change a password, even if we should change all our passwords. Specialists have analyzed this issue from different perspectives. Botter points out that, while corporate users often update them, individuals tend to keep them for years.
Incibe’s expert says that while the usual recommendation has been to change passwords frequently, this also It can be counterproductive. “Instead of improving security, it can lead to many people to reuse the same key in different accounts or choose weaker and easier and thus increasing their vulnerability.”
Starting from this premise, he recommends changing the password only in specific risk situations, such as receiving an unusual activity alert or discovering that we have been victims of phishing, knowing that a service we use has suffered a data filtration, reuse the same password in Several platforms, having logged in public devices or non -safe networks, having been victims of malware.
“Even if we have been victims of a security incident, It is not necessary to change all passwords indiscriminately. The priority must be to evaluate which accounts can have been affected and act only on them, ”says the interviewee.
Is a future ahead without passwords?
Finally, Valencia reflects on the possibility of a future without passwords, where biometric authentication plays a central role. “I think we are going to reach a time when we will authenticate in another way, not only with the password,” he does not respond, but warns that “when that password or when that authenticator is biometric in everything new problems will appear.”
Investigating a little more about this matter, we have asked what kind of problems it refers to. “The problem of biometry is that if they steal a password, I can change it, but if they steal me I can’t change biometric patternand therefore I can be vulnerable forever. So the password alone is insecure, biometry alone is also insecure, ”explains the specialist.
Images | Freepik | Xataka
In Xataka | Barcelona has become an unexpected and disturbing technological hub. One full of spyware startups
GIPHY App Key not set. Please check settings