Passwords are like underwear: you don’t let people see it, you should change it very often, and you shouldn’t share it with strangers.
Passwords are often times your only line of defense. Over 80% of cybersecurity incidents are caused by bad passwords. It truly amazes me the passwords people use to protect their accounts and how quick they are to give them out. Providing technical assistance for users over the last 20 years, I easily have at least one person a day tell me their password for the service I am assisting them with. I never ask, I never need it but they are always there to volunteer it. The lack of concern people have over their passwords, makes me wonder how they handle their own personal security. Do you frequently hand out keys to your house? Do you leave windows open? Do you invite strangers into your home? The idea of doing any of that sounds absurd, yet we see this happening every day and the right password can open many doors in your network.
The first rule of passwords, never talk about your password. Don’t give out your password. As an MSP we oftentimes struggle with this one. We require all our client’s passwords to manage their network. However, once we receive them and verify they work, we start changing them on rotation and ensuring they are secure.
Pro Tip: If you need to log in with your credentials on a website, always check the address bar to ensure you are on the correct site. This is how phishing scams work. Don’t log in to your bank site if anything other than your bank URL is in the address bar. If you have to give out a password, your first response should be asking why they need your password. If they cannot set up their own login and you need to provide that password you should change it immediately.
The second rule of passwords is do not use the same password for multiple locations. Now I know that remembering multiple passwords for multiple sites is a hard task. Luckily there are a lot of safe and secure password managers to assist with that task. If you think having multiple passwords is a pain, just think about all the security breaches you see in the news. If you have a login for one of those sites, now all the sites you log in for are compromised, versus just one site. Your credentials are valuable and can fetch a pretty penny on the dark web. People with way more time than me will attempt to use those credentials in other locations to see if they can get them to work. Never underestimate the patience and persistence of a cyber attacker who wants access to your data.
The third rule of passwords is changing them frequently. The frequency is directly proportional to how long your password currently is and if it is compromised. It is difficult to know when your password is compromised unless you are constantly monitoring data breaches. To help with that, resetting your password regularly is a good practice to follow. Also, the length of your password is directly proportional to how frequently you should change your password. If you want simple easy to remember 8 character passwords, these should be changed monthly. If you want to remember a more complex password, these can go for up to 90 days. Now if you want to add Multi-Factor Authentication, that password can be changed even less frequently. However, if your password has been compromised at all, it needs to be changed across any platform using that password. The frequency of change and complexity of a password can be discussed with your MSP so they can provide the best recommendation, based on your business.
The fourth rule of passwords is if you are going to change it or have one, make it hard to guess. I am a firm believer that anything worth doing, is worth doing right. Having a generic or easy password to guess is like leaving your door unlocked or not locking the deadbolt. You are making it easy to have someone get in. Never use a password or any creative version of that. Password is frequently the number one used password year over year. Don’t use passwords that are easy to guess, like your favorite sports team. Everyone sees that your favorite sports team is Steelers, it won’t take long for them to figure out what changes you made to try and make it unique. This really translates to anything that really matters to you. Favorite restaurants, pet names, children’s names, a good rule of thumb is, if someone knows that fact about you, it shouldn’t be a password.
Password Best practices:
- Make it unique, make it long, make it complex, it doesn’t need to be hard.
- Password phrases are the best ways to create a complex password that is not hard to remember but can be extremely hard to guess.
- Drawing a blank on a sentence? You can throw random words together.
- Examples: trustable retouch spud crook
- Approximate Crack Time: 7,958,154,497 centuries
Substituting Special Characters for letters is an easy way to add a special character to your passwords. However, remember the bad guys are wise to this trick. Make it a bit more challenging by creating your own substitution plan. Instead of @ for a or 3 for E. Perhaps # for a or 4 for J.
Make it make sense to you and you will never forget.