I want to share some information that comes from both personal and professional experience on a topic we hear a lot about but don’t seem to place enough value on; Passwords.
We live in a digital world that requires endless passwords. Everything from our emails, computers, banking, apps, phones, smart homes etc. requires passwords. Yet despite continued warnings by security experts and repeated cyber breaches of large companies and services we may use every day, Internet users often brush off the seriousness of password security.
Each year businesses collectively spend millions of dollars on cybersecurity protection and still get hacked at an alarmingly increasing rate. Take Dropbox’s largest cyber hack, which included the login data of 68 million users; that’s every username and password that was using their service. Or the more recent Collection #1 breach which makes up multiple services and includes over 772 million leaked email addresses and passwords. So what’s it to you if Dropbox or another service gets hacked? More than you may realize.
When your password is leaked or can be easily guessed (looking at you, “123456” and “password”), you open yourself, and potentially your business, up to a long list of both annoying and critical security problems.
A stolen password becomes a recurring issue, especially if like most people, you use the same or similar passwords across multiple sites, like your bank, Gmail and social media accounts. Once stolen you will never be able to use that password again, no matter how easy it is for you to remember. Now add on the stress of having your bank accounts, email and identity compromised.
This isn’t a new issue, and we get it, remembering passwords for sometimes hundreds of different sites/services is tough. Nevermind making them secure enough not to be guessed. We’ve all done it though; you have a password and in 90 days when you’re asked to reset it for security, you just change the number at the end. In one of my previous jobs before starting my business, I was up to ’52’ at the end of my password the week I gave my notice. Not exactly secure and definitely not good enough for today’s online security.
There are some important new “best practices” when it comes to password security that we follow in the IT Industry. If you haven’t heard of these yet, you should look at making the change personally or ask your companies IT Department when they are going to implement them.
You shouldn’t be restricted to “6 to 12 characters” for a password. There should always be a minimum (ideally 16), but no maximum. Our password management service, for example, recommends passwords be 24 characters long at least.
You shouldn’t be forced to reset your password every X days. This only encourages you to have poor password practices, like the small change of a number on the end.
You shouldn’t use words AT ALL in your passwords. Some more advanced systems have this in place already forcing you to use a combination of letter, numbers and symbols, but it’s important to stay away from full words as these are easier to hack. Additionally, any sequential patterns, like 12345, abcd, qwerty, etc. should never be used.
These “best practices” are all direct from a NIST (National Institute of Standards and Technology) publication regarding password from 2017.
“But if I make my passwords super difficult and random [aka secure], I’ll never be able to remember them!” - every modern human everywhere.
Hear us out, there are a couple of reasons why you shouldn’t be able to easily remember your passwords…
You are your own weakest link. If you use a pattern for your passwords to make them easier to remember, a computer can be easily used to solve it in minutes.
If your password is similar to the one you used with Dropbox, Adobe or LinkedIn when they got hacked, you might as well make your password your cat’s name and “123”, because that’s how secure it is now anyway.
Ok, we get it. What should we do next?
This is easy to answer: Use a password manager. This is as necessary as having car insurance or a lock on your doors. Some services only cost you $1 a month for simple personal use, while others cost considerably more depending on the type of service tools you want and need.
A password management service gives users the tools to generate ultra-secure passwords, a personal vault to store them all, and the ability to easily access and use them as needed.
Here are some things you want to consider when looking at a password management service:
1. Be knowledgeable of how secure the service itself is
Does the security service have access to your passwords? Can they help you in setting up the service? If so, can they see your passwords?
How is your password information stored? Where is it stored?
You want to make sure that no one but you can access the encrypted password data and that it is stored in the highest standard data facility and is using systems and controls that are safe for storing password data.
The best cloud-based password managers use “zero-knowledge security protocols” that encrypt users’ master passwords with an encryption key that is stored only on users’ devices. This means the companies have ‘zero-knowledge’ of users’ passwords.
2. Understand Two-Factor Authentication (2FA)
Your passwords cannot all be sitting behind ONE master password, even with a password manager. You MUST have two-factor authentication enabled (and a manager that provides this option).
If you don’t know what Two-Factor Authentication or 2FA is, I highly recommend you watch this 2-minute video from one of our partners: Duo. You may not even realize you already use 2FA with other services.
3. Can I easily integrate this service into my digital life?
You have the password manager, you’ve made the super long and secure generated password, but now entering @2a&AY8mePu8HU@H on your smartphone’s tiny keyboard is a huge pain. Now what?
It’s important to find a password manager that offers tools, like secure smartphone apps, to make using the service easier and thus making you more likely to leave “123456” in the past where it belongs.
Almost all top password managers can sync across all of your devices and some even let you authenticate on iOS or Android with your fingerprint or face rather than typing the master password. Most include some form of two-factor authentication, be it biometric, SMS-based, Google Authenticator, or something else entirely.
4. Have a backup plan for your Master Password
Part of the zero-knowledge protocol and what makes password managers so secure is the encrypted Master Password you will need to create for your vault. This password will need to be unique and secure and YOU CANNOT LOSE IT. You have heard of the term “never put all your eggs in one basket”. Well, you don’t want your password system locking you out and being the ONLY way for you to get your passwords to everything.
We recommend, follow me for a second here, to write down your Master Password (gasp!) and place it in the same place you put your Will or your mortgage papers, which should be a fireproof safe in your house. That way if something were to happen to you or you forgot the super secure password you made for your account, you have the means to retrieve it, because no one else will.
4. The Password Manager is only as secure as you
The security system won’t re-create all your passwords, you have to do that yourself. As you login to a website with your password “fluffykitty123”, use your new password manager to reset it and use what we call “the goop” that password systems generate for you.
Also, as you create and secure your passwords in the security manager, remove them from other services such as browser password vaults like Google Chrome, Firefox and Safari, or that excel file on your desktop labelled “not passwords” or from that note on your iPhone you have been keeping with you for years and that you have transferred from your old phone to your new phone every time…. yes, we’re looking at you.