Protecting Your Passwords
What makes a strong password? How often should you change your password? Think Concepts’ senior consultant, Dale McCullough answers these questions and more.
As everyday users of technology, most people intuitively know what things not to do but still do them anyway. Since the pandemic, everyone has been stretched to capacity – and beyond – so much so, that password security hasn’t been given the attention it deserves. Choosing passwords that lack complexity, using the same email and password combination across multiple accounts, sharing passwords, and writing down passwords, either on paper or in unprotected documents, are the most common mistakes people make.
On the systems side, issues that can compound the problem include inadequate user restrictions on data access, improperly configured network settings, and employee devices used on unsecured networks.
The Dangers of Password Complacency
Aside from writing passwords down and sharing them, whether deliberately or by accident, as in a phishing attack, the biggest threat to data security is reusing the same password across multiple sites. Rather than choosing a different, difficult-to-guess password every time, people simply reuse the same one. Why? With the growing list of online tools people use, they simply have too many to remember.
When people have too many passwords, recycling passwords is the most obvious and therefore popular strategy. When the system won’t allow them to do that, users may settle for a sequence: password01, password02, and so on. Another problem: Because they’re top of mind from daily use, people often use their work passwords for personal applications like online shopping and social media.
Hackers know all these things. Once they breach sites like these, many of which are less secure, they can gain access to your company data and use malware to hold it for ransom or sell it on the dark web. They can program bots that flood your site, rendering it unusable, or launch brute force attacks that try every word in the dictionary, known as a “dictionary attack,” even substituting special characters such as “@" for “a” or “0” for the letter “o”.
What makes a good password?
Password best practices are constantly changing, so while you may know what not to do, the other side of the coin is less clear. The Think Concepts team is always reviewing changing recommendations, but senior consultant Dale McCullough says that a 16-character password is currently considered most secure. While that may sound like a lot, Dale says choosing a passphrase made up of four random words, for example, “reach base air roar” (no spaces), will make it easy. Add upper and lowercase letters and special characters as desired or required, bearing in mind that cyber criminals know about “l33t speak.” Do not, however, choose a phrase with syntactical meaning, such as “im a great listener.”
How often should I change my password?
Requiring users to change passwords often isn’t actually very effective because it demands too much of the user, both in terms of admin and memory. As mentioned earlier, in that situation, people tend to repeat passwords, choose simple passwords, and/or fall into sequences to aid their recall. If passwords are tough to remember or change too often, they will resort to writing them down, which potentially poses a greater security risk than a weak password.
Instead, have users settle on one good, strong passphrase and recommend that they change it once a year, unless you have reason to believe your login credentials have been compromised. And don’t forget about usernames. These are generally visible so using the same username everywhere is like a brand name that allows criminals to make assumptions and put the pieces together. Educate your team on best practices and have a clearly articulated security policy that all users have read and agreed to follow.
Be sure to balance user needs with security needs.
Traditional approaches to managing passwords have focused almost entirely on the needs of IT security and the people who manage it. By investing in user-friendly solutions like password manager programs, you can simplify password management, reduce your risk of financially and reputationally damaging cyberattacks, and minimise business interruption and unnecessary costs.
How Think Concepts Can Help
We start by performing an audit where we evaluate what software and password security options you already have in place. Most cloud software now features multi-factor authentication (MFA), the recommended standard. Sometimes, MFA is not switched on by default, so we check your current setup and network security settings. We can also review who needs access to critical data and update permissions as needed. Similarly, infrastructure can be configured to limit access and in turn contagion, should any user catch a virus and pass it along the network.
We also recommend installing password protection software. Our current top picks are 1Password for enterprise businesses and LastPass for small to medium business and personal use. Both can generate and store passwords, automatically populate them for you, and prevent phishing attacks by comparing IP addresses, helping you spot malicious sites masquerading as reputable vendors. We can also install and monitor Dark Web ID, which will show if any of your passwords have been breached, give you an indication of the passwords you need to change, and alert you of future breaches.
If you’re still concerned about security, our offerings include cyber security staff training and phishing simulations*, where we stage stage malicious email content and report back with the results. We can identify which members of your team may need further training if they clicked on anything suspicious.
Key Takeaways
While technology is a useful tool, it shouldn’t be a replacement for common sense. Remind users to always be aware of where they are on the Internet and report any unexpected communications asking them to log in, disclose personal information, or provide answers to secret questions.
Finally, make the password experience as user-friendly as possible. Subjecting staff to arduous password requirements is practically begging them to violate your policies. The more reasonable your password procedures, the more likely users are to understand their intent and comply.
Protect your passwords and your data. Contact Think Concepts.
* available with an existing Dark Web ID subscription.