It’s simple advice: have strong passwords. The fundamentals are baked in to most password-requiring websites, through the stipulation for upper- and lower-case characters, numbers, special characters and a minimum length. Most people think they know everything there is about it. But there’s actually a lot more to it.
For this year’s Cybersecurity Awareness Month, we’ve updated this essential post since much of what we wrote in October 2016 remains timely and relevant. One way users can control their security—outside of requirements stipulated in the workplace—is following best practices when it comes to passwords. Here are seven tips to consider when creating or changing a password.
Lesson 1: Longer passwords are harder to crack and can still be easy to memorize.
A common minimum character length is eight characters. But the time it takes to perform a brute force attack, meaning trying all possible keystroke combinations until landing on yours, is within easy reach of determined attackers and state agencies. A 10-character password, even one using only upper case and lower case characters, significantly raises the brute-force attack timeline. For every character you add, you’re exponentially increasing the difficulty.
These longer passwords can be easy to memorize, too. Although you should avoid choosing famous quotes or lyrics like “ican’tgetnosatisfaction,” you can use a string of words that have meaning to you, but little logical meaning to others. For example, chairpinkauthorocean or tomatojacketstarwindow.
Lesson 2: Length and complexity don’t matter, if you use the same passwords everywhere.
Most websites requiring a log-in appear secure. Their URLs often start with https or the browser shows a padlock in the address bar, meaning they encrypt the flow of information. But still, implementation flaws, lack of patching, improper configuration, and human error may compromise the security of your data, including your password. Every day, sites are breached and users’ credentials are exposed. So if your super secure password is revealed, all other accounts that use the same credentials are also at risk.
While it’s not possible to fully assess the security of a website just by using it, there are some processes that may reveal poor security practices. For example, when you forget a password, and the website sends you your password in plain text, the site is not storing your password in the most secure way. A secure website should be scrambling your password on their servers so it’s unintelligible, both to themselves and to hackers.
Lesson 3: If you forget your password and an organization provides it to you, run.
You click on the “forgot password” button. If the next thing that happens is the company shows you your password, think twice about providing that organization your sensitive information Organizations should be “salting and hashing” their stored passwords. In the case of a hashed password, even if someone can access it, it will not be possible to reconstruct the password from the hash.
Lesson 4: Not all security questions are created equal.
Some security questions are downright bad. A perfect example is: What was your first car? First, there’s a limited universe of answers. Second, most people didn’t have Porsches. They had a Ford Escort or a Ford Focus, or some other affordable car. In addition, many times the answers to these kinds of questions are public information or well-known in friend circles. Think critically about your security questions and answers before relying on them to keep your data secure.
Lesson 5: Don’t let password managers autofill your passwords.
Password managers store complex passwords and many autofill the user name and password fields for you. But if an attacker can spoof a website well enough, the password manager runs the risk of being fooled into auto-filling your credentials right into the hands of a criminal. To protect yourself, don’t sign on for auto-fill, or even better, don’t store your full passwords with password managers. Add a few characters to your passwords that you’ll remember that you’ll actually type in. Then even if the password manager is breached or autofills your credentials, still no one will have access to your sensitive information.
Lesson 6: Consider using different email accounts for each site.
This requires you to have your own domain so you can make an unlimited number of email addresses. For example, you could have your Linkedin email be firstname.lastname@example.org. Therefore, if there is ever a breach, your compromised email isn’t used anywhere else and brute force attacks using that email will fail everywhere else.
Lesson 7: Choose your authentication factors wisely.
Multi-factor authentication specifically means you have a combination of something you know, something you have, or something you are. But many implementations of multi-factor only involve something you know. For example, you know your password. Often the second factor used is email. People believe they “have” their email, but the fact is email ownership is based on credentials, which is something you know. What’s better is a second factor based on something you have. In the past, SMS messages to your phone have been used, but they’ve been found to be easily intercepted. A preferred second factor is an algorithmically generated, time sensitive token that can be access through an app on your phone or on a key fob.
The saying goes, “You don’t have to run faster than the bear. You just have to run faster than the slowest guy running from the bear.” The same advice can apply to credential management. You might not take all of my advice, but what you do take will lower your risk of being easy prey to a cyber attack.