Password management is your first line of defense in protecting your online resources. Bad actors often gain access to information and systems by compromising a user’s credentials. In many cases passwords are inadvertently provided to the bad actors by sophisticated social engineer ploys. These come in the form of malicious emails, texts and compromised websites. Securing online resources with only a username and password is no long adequate protection. It is important include Multi-factor Authentication (MFA) to the process. (See our blog on MFA).
In recognition that no single security safeguard is foolproof, IT security best practices are multilayered. In addition to good password management and Multi-factor Authentication (MFA), safeguards should include the following:
- Email filtering service – This service scans inbound email to block known and suspected malware and unwanted SPAM. ProofPoint is an example of such a service (https://www.proofpoint.com/us/products/email-security-and-protection)
- Anti-malware software – This is a software product that is installed on all workstations and servers to scan for and block malware. VMware Carbon Black is an example of such a product (https://www.vmware.com/products/carbon-black-cloud-endpoint.html)
- End user education – Make users aware of safe computing practices via onboarding and continuing education. Products such as KnowBe4 can provide education, periodically test user’s reactions to malware, and report back on what additional training will be helpful (https://www.knowbe4.com/)
Now back to the main point of this blog.
Whether you are managing passwords as an individual or for an organization, many of the best practices are the same. Our clients have an “IT Usage Policy” that all employees read and sign as part of their onboarding. This ensures that password management best practices are clearly communicated. Certain aspects of a password policy can be enforced, such as password length, whereas others, such as having a unique password for access to business resources is a matter of compliance.
The notion of requiring users to regularly change their passwords has come under debate lately. It was considered part of standard security protocol to require regular password changes. However, in practice, most users find this onerous and simply add a number to the end of their password and increment it with each password change. Or worse than that, they will write down their password and leave it on their monitor or under their keyboard.
With that said, good password management is an important first line of defense. There is often a tradeoff between ease of use and security. So any proposed additional security scheme must be easy to use, or it will be circumvented. For example, the same password, or slight variations are be used on multiple sites and resources. With this scheme, if one site or resource is compromised so are the additional sites and resources.
Password management applications provide an easy to use and convenient way to store and retrieve passwords. Password managers can provide browser plugins that will automatically enter your credentials when accessing a site. This allows users to create unique and complex passwords for each site. However, password managers are no panacea, as they are prime targets for hackers.
Popular password manages include LastPass and 1Password. 1Password is the password manager recommended by the New York Times Wirecutter site (https://www.nytimes.com/wirecutter/reviews/best-password-managers/). However, there are many options and the pros and cons should be considered carefully before entrusting a password manager with your online credentials.
Most password managers will give you the option of creating unique complex passwords for you. This can be helpful, but can be difficult if you need to enter the password manually. If you prefer to create your own passwords here are some helpful ideas for creating passwords that are easy for you to remember but difficult to hack via brute force.
The first rule of thumb is to never use a word that can be found in a dictionary. Many people are tempted to take a common word and substitute characters. For example “MyPassword” becomes “MyP@$$w0rd”. The problem is these substitutions have become so common as to make them easy to crack. Many systems will have rules for the passwords that are allowed. These include the length of the password and the use of numbers or non-alphanumeric characters. Here are some other methods for creating strong passwords:
- When creating passwords always include UPPER and lower case letters, numbers and non-alphanumeric characters, such as !@#$&. Try to avoid having the first character be the UPPER case letter.
- Don’t incorporate your birthday or your name/user ID.
- Use a phrase as the basis of your password. So that “Four score and seven years ” Becomes “4$core&7Years@go”.
- Use a phrase and take the first letter of each word. So that “My three kids are John, Sara and Sadie” becomes “m3kaJS&S”
- Use an entire sentence for your password. So, “complexity matters to me” becomes “complexity Matters 2 me.” Including all of the spaces and period at the end.
Once you are in the habit if using a password manager you may find that you no longer need to manually enter your credentials. As a result, you’ll find it easier to use longer, unique and more complex passwords.
If you are managing security for a business, many password managers allow for individual accounts to be managed centrally. Providing or requiring your end users to use password managers not only ensures best practices, but also can allow you to recover passwords should someone leave.
A number of our clients need to pass industry or client security audits or implement certain practices to qualify for Cyber Liability Insurance. Regardless of the reason, implementing good password management policies and practices is cheap insurance against data breaches. And for the same reasons, practices required by businesses are good practices for individuals.