Password overload is real and because of it we may have inadvertently turned a very important aspect of cybersecurity hygiene into a security liability. How? Inferior passwords make answering the prove it part of the equation too easy for criminals, while making them too complex means you’re more likely to store them insecurely or use the same one for everything.
What’s at stake?
A weak password may seem like a minor issue when it comes to accounts that contain little or no sensitive, personal information, but if you’re reusing the same weak password across multiple accounts (a very common poor security practice), cracking one of those less-important accounts opens the gates to your entire digital life. At home that could be your bank accounts, online retailers, personal emails, or social media accounts.
At work that compromised password gives attackers access to anything you have access to: SharePoint, OneDrive, your Inbox, your contacts, and even the entire company directory. This is invaluable information to the bad guys, mainly for social engineering purposes, because they usually have to guess that information. They can use that data – names, titles, phone numbers, vendor lists, project names, etc. – to target specific employees and attempt fraud against them by using familiar terms as a means to disarm them.
The way it should be done
Bad password habits are behavior patterns that can be fixed with a few adjustments.
Follow the company password policy. Our policies do not adhere to most stringent industry standard recommendations, but the password processes we have in place are for the benefit of everyone within our organization. This policy has guidelines for both user and administrative account password structure, aging, and storage.
Don’t reuse passwords. Most people realize it’s a bad idea to use the same password across multiple accounts, yet some continue to do it anyway. Mostly because it’s the easy choice and we are prone to take the path of least resistance. This choice however can start a chain reaction that leads to the victim’s entire online life being compromised.
Use passphrases. We have to simplify the password creation process. Too much complexity fosters frustration, which in turn promotes laziness and tempts poor security behavior. Passphrases are the way to go, whether that be a song lyric, a poem stanza, or a quote. Here is a method you can try:
WELCOME TO THE HOTEL CALIFORNIA SUCH A LOVELY PLACE
- Choose the first character of each word:
- Using the organization standard as a guide, add required complexity:
- W2thc$a!p (9 characters, 1 numeral, 2 symbols, mixed case - satisfies all requirements
- Or be more creative, the key is to make it easy to remember but hard to guess.
Avoid commonly used passwords. Attackers have tools that can quickly guess poor or weak passwords, but they can also use those same tools to figure out if you are using a vast and growing list of commonly used cracked passwords. The following passwords, or any variations thereof, are just a few that should be avoided at all costs.
Screen new passwords for weaknesses. There are some passwords that should be ignored right away. If they can be found in a dictionary, including foreign languages, slang dialects and jargon; if they contain personal information such as birth dates, addresses, and names of family members, pets, or local sports teams; or if they contain work-related information such as building names, sites, or company names. A great way to find out whether a password you want to use is sufficiently secure is to visit either of the following sites:
Use a password management solution. You have a lot of passwords to remember, so how can you possibly recall them all? The wrong way is to write them down and keep them anywhere near your desk or save them in plain text documents on your computer. The best option is to use a password manager, you won't need to remember a unique, long, complex password for every online account. Instead, the password manager will remember each password for you, strengthening your security and minimizing your risk. The only password you'll need to remember is the single "master" password to the password manager itself. Some good options are – LastPass, Keeper, 1Password, KeePass, and Dashlane. This article gives an thorough overview. https://www.consumerreports.org/digital-security/everything-you-need-to-know-about-password-managers/
Use multi-factor authentication if possible. Essentially, multi-factor authentication involves two distinct steps to verify a user’s identity; typically some combination of the following:
- Something you know (e.g., your password or your username)
- Something you have (e.g., your ATM card, mobile phone, or an access token/badge)
- Something you are (typically verified with biometrics, such as iris scans, fingerprints, or facial recognition)
While it may be easy for an attacker to crack your password, replicating your fingerprint or obtaining your physical property can be a much harder feat. Some consider multi-factor authentication to be time-consuming, frustrating, and just another unnecessary productivity killer. The security benefits however are immeasurable.
The final word
Creating completely uncrackable passwords is impossible, but using these tips and suggestions will help ensure your password is harder to crack than the average person's. Sometimes that's all you need.