Passwords

All you need to know...and more!

Resetting passwords is among the top items that take up an IT helpdesks time. In my experience, if an end user does not enter a password daily or weekly that password is forgotten. Then the next time that end user needs to enter that password it’s a call to their IT administrators or a trip down “I forgot my password” lane, culminating in an email containing the statement, “to reset your [blank] account password, please click here.” It’s a tireless refrain and the number of passwords any one of us needs to recall on a weekly, if not daily basis can be overwhelming. Strong, secure passwords are nonetheless necessary and unfortunately all too rare in situations where they are not required.

It’s incredibly important to be careful where your passwords are stored. You may be tempted to have your web browser store your passwords for you. This is a mistake; web browsers are notoriously insecure and it’s a great place for hackers to pickup your passwords if your computer is ever compromised. Writing them down on a sticky note and pasting that directly to your monitor - while convenient – means that anyone walking by your desk could know your password. Keeping your passwords in a spreadsheet or some other digital file seems like a good idea, but computers get viruses and many of the digital formats used to store passwords are not secure enough.

Strong passwords are between 8 and 10 characters in length, contain uppercase, lowercase, numerals, and symbols. Perform a web-search for “most common passwords”, take note of what’s on that list and avoid those passwords like the plague, these will be among the first passwords attempted in a brute force attack. Thankfully many websites these days will lock your account after so many failed password entries. Be careful about using personal information like birthdays, children’s names, pets’ names, spouses’ names, or anything that someone could discover just by digging through your social media profiles. IronMaiden1992! is a good password unless you’re a member of an Iron Maiden fan page on Facebook and you or someone close to you was born in 1992.

You might not think of yourself as a target for these kinds of attacks, but the simple act of signing up for an email account or taking advantage of the modern convenience that is online banking makes you one. Hackers rely on inexperienced users’ mismanagement of passwords and general lack of computer knowledge to pay their bills and feed their children. They don’t care who they steal from and its often people with the least resources who’re made victims by these crimes.

Making your password something completely random with numbers and symbols mixed in is truly the best kind of password, but these can be difficult to remember. I find it’s easiest to remember a password when it is a phrase, or a three-word combination with symbols and numbers sprinkled in. Using different passwords for different accounts is a must, many websites these days utilize an email address as the login username. This creates a one-to-many relationship between your email account and assortment of website and online banking accounts. If your passwords are the same for all of these then you could lose everything if only one of those websites has a breach and your information is leaked. www.haveibeenpwned.com is a great resource for checking to see if you have an account that was compromised, when your accounts credentials were leaked and the full scope of the breach.

The best thing you can do is configure Multi-Factor Authentication – also known as 2-Step Authentication (MFA and 2FA), which will require another layer of authentication that should ensure complete security. Usually this is in the form of a text message, phone call, or email that contains a code you need to enter before completing your login. Sometimes a service – like Office 365 - will have its own smartphone app that will provide a code or a push notification to approve or deny a sign-in attempt, and oftentimes a computer can be remembered so this only needs to be done once or infrequently if you are using the same device.

Most online banking websites and email providers offer and encourage MFA to be used and I cannot recommend enough that you configure this for these types of accounts. PayPal, Amazon, Etsy, Facebook, Twitter, Instagram, Bank of America, TD Ameritrade all offer MFA and you should use it. In fact, any website on which your credit card may be used and stored should have MFA available, and if it does not, I would recommend using PayPal for payment to keep your credit card information off of their servers.

Using a password manager like LastPass or 1Password goes a long way to securing your accounts. It means you can use random (as close to random as a computer can get), lengthy passwords – created by the password manager itself – and you won’t even be responsible for remembering them. All you will need is the “Master Password” for your password manager, web browser extensions can do the rest and where those don’t work you can manually open your password manager to find, copy, and paste your highly secure password. But what if my “Master Password” is compromised? I’m glad you asked, because MFA/2FA is the answer to this fantastic question! If you decide to use a password manager, be sure it includes MFA/2FA and that you set this up, it is vital to the security of your passwords.

So, what have we learned? The world is out to get you, yes, you! The internet is full of nefarious individuals looking to part you from your hard-earned cash, and the best way you can protect yourself is to keep your passwords strong and secure. The best way to do this? Keep your passwords at least 8 characters long, a mishmash of letters symbols and numbers, void of any publicly available information about you or those you care about and different for every account. Still worried, tossing and turning in bed at night to visions of a bad man in a dark room tirelessly entering passwords with your email address in the username field, or worse, entering a singular password and getting in? Configure multi-factor authentication (MFA) on your most treasured accounts (email, banking, shopping, etc..), you’ll get a notification that someone has tried to sign-in and you can laugh manically as the bad man curses patsfan86@gmail.com. Having trouble remembering all those complex and unique passwords? Use a password manager! You won’t even have to come up with those mind-bendingly difficult passwords, and you won’t have to worry about someone walking by your desk and snagging your most sensitive passwords from a bright yellow sticky note.

-Peter T. Belies