Tips for secure user authentication

We are living in an era of large-scale data breaches. More and more high-profile companies are hacked; as a result, the personal data of millions of customers is leaked online.

Cybercriminals with different motivations and interests take advantage of this data in order to mount attacks at both individuals and other organizations. As passwords are still the main method to authenticate users to platforms and systems, this article aims to provide tailored recommendations for improved cyber hygiene.

Risks to passwords

 Today, passwords can be stolen in multiple ways, including:

1. Social Engineering attacks such as phishing credentials using fake pages, voice phishing (so-called Vishing), shoulder surfing (e.g. peeping behind a person who is typing their password on a laptop) and even retrieving handwritten passwords from post-it notes.
2. Stealing using specialized software or physical keyloggers. Some of these attacks require a physical presence or proximity to a laptop or a device.
3. By intercepting communications, using fake access points or by leveraging man-in-the-middle attacks (MiTM) at a network level, more prevalent in public WiFis found in hotels, cafés, airports, etc.
4. Brute-force attacks on passwords by trying all the combinations, dictionary attacks or by simply guessing the password.
5. Retrieving passwords directly from data breaches and leveraging them using password spraying techniques to other legitimate services.

1. Activate multifactor authentication functionality whenever possible for all of your accounts.
2. Do not re-use your passwords. Cybercriminals work under the assumption that many users re-use passwords, hence their high success rates for compromising accounts.
3. Use single sign-on functionality combined with multifactor authentication in order to reduce the risk of account compromise.
4. Use a password manager.
5. Generate strong and unique passwords or passphrases according to the latest guidelines available, for each individual website and service. This is where password managers come in handy.
6. Check if any your accounts appear in existing data breaches and act immediately by changing your passwords for the services identified.
7. Many websites offer password reminder functionalities. Make sure you do not rely on easily retrievable personal information to reset your password, e.g. name of your pet, your date of birth, your high school, etc.
8. Make use of VPNs or at least mobile access points when accessing e-Banking or other private services from public WiFi.
9. Be aware of your surroundings in lounges, airports, trains and cafés, and make sure there is nobody behind you trying to snoop your password. This is where screen privacy filters come in handy.
10. Do not leave your devices unattended/unlocked in public spaces such as hotels, public transport, lounges, etc.

Further Information:

For more security awareness related materials, please visit the website of the European Cyber Security Month (ECSM) awareness raising activity coordinated by ENISA.

Cyber Hygiene best practices can be found in the ENISA Report - Cyber Hygiene.

For further information related to the cybersecurity aspects of the COVID19 pandemic, consult the ENISA pages dedicated to this issue under the Topic - COVID19.

For press questions and interviews, please contact press (at) enisa.europa.eu