Are your passwords secure?
We’re frequently asked about password security, but what exactly makes a password secure? Josh Willcock explains how data breaches happen, and the super cool cryptology at use to ensure our eLearning systems are robust.
If you consider quite how many websites you’ve signed into over the last 10 years the average person can quickly have 130 active accounts. Many of them forgotten. And it’s not just older users who have problems with creating and remembering secure passwords. In a study conducted by Digital Guardian, 18 to 24 year olds were the most likely to reuse a password. It’s easy to assume that this is the most tech-savvy age group, but they’re also the most vulnerable to compromised passwords.
Tech can help
Last year Google released its own password manager (passwords.google.com) designed to compete with long standing leaders like LastPass and Apple’s Keychain. In a more recent update, Google has added a Password Checkup extension to Google Chrome. This means that anytime you log in to a website, Google will check to see if that password appears on a list taken of leaked data. This functionally works the same as a plug-in I created back in 2018 (Vulnerable Password checker for Moodle) using Have I Been Pwned, a public service created by security expert Troy Hunt.
Why sharing passwords on multiple sites is bad
A secure password uses upper and lower case alphabetic numbers, numeric numbers and symbols, (especially localised keyboard ones). Additionally, a secure password is unique for each site. Similar to a physical key, if you lose it you’ll have to change the lock (password). But if you use the same key in many places and it’s compromised, you’ll need to change the password multiple times. This can be hard to keep track of. It also means your accounts are only as secure as your weakest website. For example, if you use your bank password on joebloggs.com your bank’s high tech security is only as strong as joebloggs.com. That’s why using unique passwords for every site is so important, and a password manager can help.
How data breaches happen
If Google pops up saying ‘your password for awebsite.com is no longer safe due to a data breach’ that doesn’t mean that website has been attacked. It means that password can be found on a list of data which has been leaked in the past. This doesn’t mean it’s necessarily that specific website’s fault – unless it is the only place where that specific password has been used. Rather than an organisation – be it Amazon, Facebook, your bank or Moodle – being guilty, data breaches are usually caused by a password being stored in an email, for example, or from signing up to a scam or to a poorly secured website.
A little bit of geek to show how cool our passwords are
At the Charity Learning Consortium, our passwords use certified cryptology using a complex key to hash the passwords, which are stored in an encrypted database not accessible on the public internet. This means that it’s close to impossible to work out a password we store, even if we showed you where it was. Anyone using the same password on multiple sites may still get a Google warning message though. These are not clearly worded and it can seem as if the issue originates from the website you are trying to log into. It’s great to see Google trying to protect users though, in a way Troy Hunt has proved to be beneficial over the past few years, something we’re happy to see ourselves.
Protecting your organisation
Please encourage your staff and volunteers to use unique, complex, generated passwords – stored and automatically filled from Lastpass, Google Passwords or another password manager. This will help keep you and your learners more secure and keep any warnings to a minimum. And that’s true for each and every website you use, not just our eLearning.
About Josh Willcock
Josh is the Head of Technology at the Charity Learning Consortium. With a degree in design and valuable experience in technology giants, Josh created the RoadMap feature set, fixes bugs, and regularly contributes to the Moodle Community. Josh joined the Consortium in 2014 and has used a password manager throughout his time here!
CL Consortium Ltd
Vine House, Selsley Road,
Stroud, GL5 5NN