Directive Blogs
The Definitive Guide on Password Best Practices
Protecting your online accounts, your data, and your customers’ information is now more important than ever. Industry and state-mandated compliances are now forcing businesses to tighten their cybersecurity, and it’s critical that every human being on the Internet take their own personal security seriously. This guide is designed to provide the best practices for strong passwords.
Why Do Good Password Habits Matter?
You might think, “Eh, it’s just my Facebook (or Netflix, or Google, or Amazon) account, what do I really have to lose?”
As it turns out, there is a lot to lose, and it could affect your employer as well.
Poor password habits are one of the leading causes of cybersecurity issues today. People are using the same passwords across multiple accounts, and often use passwords that can easily be guessed or brute-forced (a process where a hacker tries thousands of common passwords and combinations to gain access to an account). Using the same password across multiple sites is a huge problem, and responsible for many recent high-profile cyberattacks, such as the Disney+ attack we saw last November.
If someone uses the same password on their Netflix account for their work email (or some other work account) then they are putting their company’s security in the hands of Netflix. If Netflix is involved in a data breach, that user’s business is compromised as well.
There are No Shortcuts
Unfortunately, there is no easy, secure way to check to see if a particular person’s password is unique. There is no network policy that will somehow know if the user is using the same password for their Hulu account or their personal email or their eBay account.
We can force strong passwords all day long, but users will make it easier for themselves by using common shortcuts that will make it easier to remember passwords. That includes using common password terms, and putting an exclamation mark at the end to satisfy the “use a symbol” requirement. If many people do it, it doesn’t help security. Remember, the hackers can see password trends when big data breaches happen.
Password Rules Every Person NEEDS to Live By
Rule #1 - Don’t Use the Same Password Twice
Today, this is the most important rule. You might feel like a savant with a very complex password memorized, but if you use it across multiple platforms, you are putting yourself at risk. Data breaches happen all the time, and as soon as a company like Netflix, Yahoo, Microsoft, Google, or literally any other online entity gets breached, hackers start to try all those accounts everywhere else. They might be trying your password on other services before you learn about the data breach.
Rule #2 - Use Strong Passwords That Can’t Be Guessed
If I know you reasonably well, would I be able to guess your password? If you are using your dog’s name and your birthday as a password (daisy032271) to lock down your bank account, you aren’t doing much to keep anyone out. On top of that, common phrases and words are often guessed pretty quickly when a hacker uses their tools to try to force their way into an account.
Most sites require numbers in their passwords. Maybe your favorite baseball player is Mookie Betts, so you use his jersey number as a go-to for your passwords, or you use the number 42 because you are a big fan of The Hitchhiker’s Guide to the Galaxy. If someone knows you well enough, would they be able to guess that? All you are doing is leaving tiny chinks in your armor.
Rule #3 - Use 2-Factor/Multi-Factor Authentication
2FA (also known as Multi-Factor, MFA, 2-step verification, and a slew of similar names) is when you need one more method to prove you are actually you when logging into a site. Typically, this involves having a text message sent to your phone, a code sent to your email, or a code generated from an Authentication app on your phone that you key in after you have used the correct password.
This means nobody can get into your account unless they have access to your phone or email. Obviously there are still ways around this - a hacker could intercept your text messages or gain access to your email, but this is a lot more difficult than simply guessing a password (provided that your passwords are unique).
Setting up 2FA on your email accounts, social media profiles, bank accounts, and anywhere you possibly can will improve your overall online security by a lot. Not all accounts and services offer 2FA yet, but those who take security seriously do.
Rule #4 - Don’t Store Passwords Insecurely
Let’s not sugar coat it - your passwords don’t belong on a sticky note adhered to your monitor. They don’t belong in a text document called “passwords” on your desktop. They don’t belong in your email inbox. They don’t belong on a note in your phone.
The only safe way to store passwords is in an encrypted state, behind another strong, unique password. There are specific tools designed to store passwords - for example, KeePass, Dashlane, 1Password, and LastPass are highly-rated password managers designed to store passwords. These tools work great for individuals, provided they are used properly and locked down with a secure password and 2FA.
For your business, we can work with you to determine the best solution for you and your staff to protect and store company-wide passwords.
How to Make Good Password Habits Easy
We realize that, in order to have healthy password habits, we are asking you to complicate your everyday life by making it harder to get into your Netflix account. It’s an inconvenience we all have to force ourselves to live with.
That said, there are ways to make it easier without compromising your security.
Invest in a Password Manager
We briefly mentioned this in Rule #4. Password managers like KeePass, Dashlane, 1Password, and LastPass are great, cost-effective options for getting control over your passwords. For the individual home user, we often recommend LastPass for its ease of use and the free account will usually be enough for most. For businesses, we recommend you give us a call at 607.433.2200 so we can discuss your needs before you or your staff start dumping passwords into a third-party tool.
Password Managers make it easy to use long, complex passwords because they remember everything for you and are easy to access from your browser and mobile device. Logging into your Amazon account on your laptop? If you are signed into your password manager, it should be able to autofill the login form for you. Logging into Netflix on your smart TV? Pull out your phone and go into your password manager and bring up the password.
Most password managers even let you randomly generate secure passwords and save them automatically.
Use Passphrases Instead of Passwords
A passphrase is a string of several random words used as a password. Scientifically, a passphrase is harder to crack than a standard password, and easier to remember.
For example, if your password was ‘racecar’ but you were trying to be clever and include the required numbers and symbols, you might make your password ‘r@c3car’ or ‘racec@r96’ or ‘racecar96!’ Either way, this is a relatively easy password for a machine (or an equally clever human being) to guess.
Instead, by chaining several random (the key word here is random) words together, you can construct a password that is easy to remember but extremely hard to guess.
What might these random words look like?
Moody Banana Accordion Genius
Add a few random numbers and special characters, and we’ve got a password that is easy to remember, but would take forever to crack. A hacker running a tool that makes 1000 random guesses every second would take centuries to guess this password:
$MoodyBananaAccordionGenius@772
(Please, hopefully it doesn’t need to be said, but don’t use the example password above for any of your accounts.)
If the words are truly random, meaning someone who knows you well won’t be able to guess them, you’ve got a strong password that is easy to remember.
The Short Version
We want to make this easy for business owners and office managers to share this advice with employees who aren’t thinking about (or worrying about) company security on a day-to-day basis.
- Don’t use the same password twice, under any circumstance.
- Use strong, random passwords that can’t be guessed, and that don’t contain identifiable information like birthdays, names, and hobbies.
- Always use two-factor/multi-factor authentication when available.
- Don’t store passwords in text documents, emails, sticky notes, or anywhere else they could be found.
- Use a password manager for individual home use (and an enterprise-level password manager for business use).
- Use random passphrases to make complex passwords that are easier to memorize.
Final Thoughts - Invest Energy into Educating Others
From a business owner or office manager’s perspective, one of your biggest cybersecurity weaknesses are your employees. This doesn’t mean your end users aren’t intelligent, compassionate people who want the best for their employer, but they probably don’t understand the liability that comes with not having good password habits.
We encourage that you take time in educating your staff and sharing resources like this, and promoting healthy online habits both at the office and at home. We would be happy to provide cybersecurity guidance for your business, and a part of that can include educating your staff on ways to protect both themselves and sensitive company information from being compromised online.
Want to learn more? Give Directive a call at 607.433.2200.