The days of periodically expiring passwords are over. Or, at least, they should be.
Let’s face it. That was never a good thing anyway. Did anyone not just add a number on the end and increment it every month? Rover1, Rover2, Rover3… because that’s secure, right? Well, who could blame you? No one can be expected remember a new, distinct, password every month – one with numbers, symbols, upper case and lower case letters at least 8 characters long. Wait… I know… let’s write it on a sticky note and put it underneath our keyboards with all the other passwords… because that’s also secure, right?
Passwords are important to keep secure. Hackers have lists of common weak passwords and have built sophisticated algorithms that can generate and guess passwords as fast as the system will let it. This is called brute force attacking and it happens all day every day.
The recommendation these days is that you actually use a passphrase that is easy to remember. For example,
My n31ghbor’s puppies bark night and day!
takes a computer significantly longer (years longer) for a computer to guess than BarkingD0g!
Now you have a passphrase you can remember (yes, without the sticky note… come on… I have faith in you.) At first it feels strange typing a sentence for your password; but, trust me, it’s quicker and more natural than the finger acrobatics you have to do to enter p@$$w0rd! Once you set this password, leave it alone. Don’t change it unless you think your password has been compromised. So, if you clicked that link in the cleverly crafted message that looked just like it was from your HR department and then entered your password into that cleverly crafted website, you’ll want to change that password… quickly… everywhere it’s used. The bad guys don’t waste any time.
Also, don’t use the same password for multiple logins.
“You mean a different password for everything? Oh, I’m for sure going to need that sticky note!”
No. Put down the neon square. You’re better than that.
Use a password manager, such as LastPass, to help you save all of your passwords. You should make a pretty lengthy passphrase for your password manager account. That one you’ll want to write down and put it in your safe deposit box because it is your master key. You won’t want to lose that one. LastPass will run in your web browser and on your phone and autofill all of your logins. That way you don’t have to remember all those distinct passwords. See, I told you you wouldn’t need that sticky note.
Also… and this is important… enable MFA (multifactor authentication – also known as 2FA, two factor authentication, two step authentication). You know this as that text code you have to enter when you log into things. There are good and better ways of doing MFA, which I’ll cover in a later article, but the important thing is that you enable any form of MFA. With this enabled, even if the bad guy guesses your password, they still have to have your phone to log in. This is extremely effective and will thwart most bad guys trying to compromise your account. They’ll likely just move on to someone else who doesn’t have MFA enabled.
We could write all day on password and account security, but we know that you probably wouldn’t read it if we did. You don’t geek out on this stuff like we do. If you’ve made it this far, you’re undoubtedly concerned about cyber security. This is good. You should be. So, just for you we’re going to keep this stuff coming.
Topics coming soon:
-Multifactor authentication
-Password managers
-Phishing and social engineering
Contact us today about security training and consulting. We want to learn all about your business and help you become more secure.
Want to see something else? Leave a comment. We’d love to hear from you.
Related Articles
https://www.infosecurity-magazine.com/blogs/nist-password-guidelines/
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
https://krebsonsecurity.com/2021/05/the-wages-of-password-re-use-your-money-or-your-life/
https://www.welivesecurity.com/2016/05/05/forget-about-passwords-you-need-a-passphrase/