Know Thy Passwords: A Guide to Security
It’s easy to fall into the habit of writing down passwords. How about giving your password to a friend to log into your account? Or how about your IT staff when you need help? In a world where cyber security threats are increasingly becoming costlier, and you have more and more accounts to handle, your password hygiene is even more important.
What steps can you take to help make your passwords more secure? We have some experience in this area, and would love to help!
What’s your password (or phrase) length?
In the past, it was recommended you make simple changes to your password that added numbers or special characters. For example, the word “Madison” could easily be used as a password for your account and you would replace the letter “a” with the @ symbol and the letter o with a 0. However, this password is less than 8 characters and also a dictionary word. A hacker can run every combination of these characters through a computer and have your password identified in no time. The other problem with this password is that cracking it would even be simplified if someone looked on your social media site and knew this was the name of your dog or your child.
Check out High Point Networks recommendation on Password complexity here.
“Longer passwords are generally stronger, and we recommend that people start to think in passphrases rather than passwords. Generally, a good passphrase should be around 15 characters but could be longer. That may sound intimidating and hard to remember but by easing off on the complexity and focusing on length, I think anyone can get there.
For example, “my dog's name is Frank.” In the past, I may have created a password like “Frank22!” This password may meet most complexity requirements. However, it’s only eight characters in length and can be easily cracked. A stronger passphrase might be something like “Walk frank twice a day.” This passphrase is 22 characters long and contains an uppercase character, lowercase characters, and special characters which should still satisfy most complexity requirements. (Also, please don’t use these examples as your password!)
Have you checked whether your passwords have been compromised?
Well known Microsoft security MVP, Troy Hunt, manages the website haveibeenpwned.com. This site allows you to check whether your email or login has been part of a recent security breach. It even runs your passwords against known, comprised passwords. I recommend you subscribe to the alerts on his site, so you are notified if your account has been compromised.
Password reuse.
Using the same password for multiple accounts makes it much easier for a hacker to dive into your other accounts in the event your credentials are stolen. This is why it is recommended you create unique passwords for all your systems.
Do not share passwords.
Sharing passwords is never a good idea. Sharing passwords increases the risk that unintentional users access your system. Sharing passwords also eliminates your ability to audit who accessed your system. If you are reusing passwords, the person you shared the password with might have access to more than you intended.
Get a password manager.
How do you keep track of all these unique and different passwords? Password managers help you keep track of all the unique passwords in a secure place. Check out PassPack or LastPass. These tools have free and paid versions to help you manage your credentials in a secure and protected place. Some password managers have applications that integrate into your web browser for ease of use. In some cases, password managers will identify strong passwords for you or let you know when a password has been seen in a password breach.
What is this MFA stuff?
Now, let’s introduce the latest buzz word in password security. MFA or Multi-Factor Authentication, also known as Two Factor authentication. This is authentication by means of at least two items: something you are (biometric), something you have (a pin or token), or something you know (a password). Adding MFA to your accounts greatly adds one more layer of protection. Yes, it is an extra step to access your accounts – you might have to wait for a text message or enter extra information - but in the long run, it will save you time protecting your accounts today, instead of responding to an incident after being hacked.
At Foundant, we take security seriously. We have provided training for all of our employees on password security and safety. We hope that all of our clients will take their Foundant account password security seriously, as well in their professional and personal life.