How secure is your financial data online? Unsurprisingly, passwords are a weak link in the online security chain. Online accounts are only as secure as the passwords that protect them, but many of us have misconceptions of what constitutes a secure password.
A password should be a secret
Your password ceases to be a secret if you give your password to an attacker via phishing or social engineering attack, or when you expose it to an attacker, either by typing it into a device infected with malware or by typing while someone is looking over your shoulder.
If you are using the same password on multiple sites and one of the sites has been breached you should assume that your password is no longer a secret. For this reason, it is recommended to use unique passwords for different accounts. You can check if any of your online accounts have been compromised in a data breach at haveibeenpwned.com.
A password should be hard to guess
Being hard to guess for a human is not enough, it must also be hard to guess for a bot. We will share how bots can guess passwords so that you can build a stronger password.
How a bot guesses your password
Websites usually mitigate direct bot attacks by limiting the rate at which an attacker can submit guessed passwords. Some impose a short time-out after a few failed authentication attempts, some require a recaptcha, while others simply lock the account.
Sometimes an attacker will manage to breach a system’s security and steal its user authentication information. Usually passwords are not stored in plain text, so the attacker will now have a collection of usernames and encoded passwords which they can test against offline.
The algorithm usually used to encode a password creates a one-way mapping making it difficult to reverse. To the encoded password, an attacker will need to encode a large number of possible inputs and compare them to the hashed password in the hope they produce a match.
The manner in which the password was encoded can slow this process, but it is ultimately up to you to set a password that is unlikely to be high on the list of possible passwords that the bot guesses.
Choosing a strong password
The strength of a password is a function of its length, complexity, and unpredictability. The unit used to measure password strength is entropy. Password entropy is expressed in terms of bits.
A password that is already known has 0 bits of entropy. A password that would be guessed on the first attempt half the time would have 1 bit of entropy. A password needs to have 60 to 127 bits of entropy to be considered sufficient to guard financial information. You can measure yours here.
Choosing a strong password can be difficult. Common guidelines suggest a minimum password of 12 to 14 characters, combining upper and lowercase alphabetic characters, numbers and symbols, but even then they are not necessarily secure. Insecure passwords can meet these criteria as well. Dictionary words are not secure, and common obfuscation patterns (e.g. substituting ‘1’s for ‘i’s) add little strength.
A good alternative to the traditional human password generation is to take a phrase and to combine the first letter of each word into a password. Using this method the lyric “this one is for the boys with the booming system, top down, AC with the cooling system” generates the password “toiftbwtbstdawtcs”.
A better alternative still is to create a passphrase of six random words. Picking truly random words can be though. One way to do this involves picking a word at random by rolling a dice five times to generate a five digit number and then finding looking up the word with the corresponding index in a dictionary.
By repeating these steps six times and combining the words you can manually generate a six words into a passphrase. If this sounds too laborious there are plenty of online services that will automate it for you.
Storing and updating your password
Realistically you will not be able to memorise such a secure password for every online account. The solution is to use a single very secure passphrase with a password manager like KeePass or 1Password. A password manager will generate and remember the passwords for all of your other online accounts. You simply need to ensure that the password for your password manager is secure.
You can update your Beanstream password by signing into the Back End and navigating to ‘administration > account settings > user manager’ in the sidebar. You can also restrict the IPs from which a user can login to your Beanstream account by navigating to ‘administration > account settings > login restrictions’. If you have any difficulty doing either our support team will be happy to help you. Remember, Beanstream is Your Partner In PaymentsⓇ, working to keep you safe and secure.