Inverifi logo

ISO 27001 Controls: Unique Passwords

Keep your data secure by using unique passwords

ISO 27001 controls - unique passwords illustration image

The Importance of Unique Passwords

If you have many online accounts, for any purpose, you should always use a unique password for each one.

 

If you work for an organisation that complies with ISO 27001, it will require that you have a unique password for each online account you use for work. This is a requirement of annex control A.9.4.3.

 

Although you don’t necessarily have to set unique passwords for your personal online accounts, I would still strongly recommend it. But, why? What’s the big deal?

Data Leaks

These days, it’s not that unusual to hear of some major tech company having its users’ data leaked – email addresses, passwords, physical addresses; pretty much everything they have stored on their users.

 

Usually, actual passwords aren’t leaked. No competent company will actually store your password; they don’t know it! Instead, they will store its hash – a piece of data they can use to check whether a given password is correct.

 

Unfortunately, though, not all companies are competent in how they handle your data. Some store passwords in their databases, unencrypted – and some email you your password when you sign up.

 

A few years back, Facebook realised that it was storing user passwords, unhashed, in its server logs. These logs were never leaked – as far as they know – but for a while, a single bad actor could have stolen this data and sold it to the highest bidder, if they had the inclination.

 

In any case, if one of your online accounts has its credentials leaked, do you want those credentials to be usable with all your other online accounts? Use unique passwords, and only one account is compromised in such a scenario.

Untrusted Websites

Think about this: If you reuse the same password, you’re giving away the credentials of all your online accounts, to the services where you use those credentials. For example, if you reuse your Google password to create your Klarity account, you’re essentially giving us your Google password.

 

Sure – if you give us your Google password, we won’t use it. We won’t even store it; we’ll just calculate its hash, store that, and throw the actual password away. But what about all the other services, which say they do the same, but have more sinister intentions?

 

Generally, you shouldn’t place absolute trust in any of the online services you use. By using unique passwords, you take some amount of control over the security of your data, out of the hands of a bunch of random online services, and into your own.

Best Practices

But you probably have a hundred different online accounts – each requiring its own password! How can you possibly remember them all?

 

Well, you probably can’t.

 

Instead, we would recommend using a password manager, which will generate unique passwords for you and store them securely. You could use a cloud-hosted solution, like Bitwarden or LastPass – or, if you’d prefer, you could use an entirely offline solution, like KeePass.

 

Whatever you use, you’ll probably need to set up a master password for your password manager.

 

For this, we would recommend a sequence of random words – ideally, at least four words. Replacing some of the letters with similar looking numbers or punctuation is never a bad idea. One password; relatively easy to remember, but almost impossible to guess.

Conclusion

Do you want to keep your online accounts as secure as possible? Do you want to preserve your privacy? Whether we’re talking about work accounts or personal accounts, we can’t recommend highly enough that you use a unique password for each one.

 

Inverifi can help keep your team compliant with your policies. Sign up for a free account and see what it can do!

More blogs you might like