Everyone HATES passwords. Even I hate passwords.
How many passwords do you have?
Do you reuse your passwords?
Do you have one password you use for every account you own?
Go ahead, be honest. If you answered yes to anything listed above, you’re not alone — in fact, 65% of people reuse their passwords across multiple sites according to this 2019 Google survey. However, by reusing passwords (especially passwords that are 8 characters or less), you are potentially exposing your account to cyberattacks and hackers who are depending on that vulnerability to get in.
You’re probably thinking to yourself something along the lines of “Why me? I’m just a small company, nothing in my account is interesting to anyone”, but that couldn’t be further from the truth. Hackers are always on the lookout for anything that could give them an advantage and lead to sweet, sweet cash.
What is PII and why does it matter?
Even if you see yourself as just an ordinary citizen, you still have PII (Personally Identifiable Information) such as your full name, address, payment info and more. To a hacker, any PII from anyone is a goldmine because they can use it to either take money directly from your bank, steal your identity, or, if you’re a small company, hold your data for ransom.
You run a huge risk by using weak, easy-to-remember passwords. You use them because they’re convenient, short, and they expedite how long it takes for you to log into your accounts. But what if we told you that longer, more complex passwords didn’t have to be hard to remember? There are many methods and tools at your disposal that can keep your information safe and make your life a little easier.
Before considering “password123” as a password, try our tips on creating and remembering complex passwords.
Use the passphrase method
You or your organization may be familiar with passwords, but what are passphrases?
Simply put, a passphrase is a longer password, made up of seemingly random phrases usually with no spaces. They don’t even have to be difficult words either, they’re often words that are easy to remember for the person creating them. An example of a passphrase would be “lambcarpencilink”, or “lamb car pencil ink”.
Because they’re actual words that are easy to memorize, your brain would have an easier time storing this information than the dreaded characters and numbers you have to sprinkle in to meet typical security requirements.
If you decide to update your existing passwords with passphrases, we recommend the following:
• Don’t be afraid to add in a character or number if it will help you remember
• Use words that are important to you, but not too specific. For example, using “clownfish” is a lot more specific than using “fish”, which yields more protection
• Four words should be used at a minimum, but five is better than four
• Keep personal information, such as your birthday, out of the passphrase
• Never use the same words twice
• Test your password strength on security.org (and read the helpful tips if you’re stuck)
Invest in a password manager
So you’ve decided to use passphrases instead of passwords. It’s an excellent first step in the right direction, but now that you have a bunch of them, you’re unsure how to remember them all. You decide to store them in your Google Chrome or Firefox browser, as you always have.
STOP. Do not save your passphrases/passwords in your browser data.
Browser data is quite easy for hackers to access. To them, it’s mere child’s play.
What’s the point in coming up with such complex passphrases if it’s going to be seen and exploited by hackers regardless?
But now you’re wondering “If I can’t save my passphrases in my browser, do I have to write them all down and keep them in my pocket?”
The answer is no.
A password manager is a tool designed to store and manage all of your passwords and passphrases in an encrypted database, stored safely behind a master password. Some can even generate complex passwords for you if you’re running low on inspiration, which is natural– humans aren’t as random as computers.
We recommend BitWarden which is good for organizations. If you choose a different password manager, be sure that it’s a reputable company. Research who developed it, who owns it, if there’s been any recent breaches, and make sure they’re fully transparent.
Use MFA (Multifactor Authentication)
For organizations and ordinary people alike, we recommend at least a 2-step MFA when signing into anything. MFA requires an extra step after inputting a password, such as a verification code sent to your mobile phone, or a randomly generated TOTP (timed one-time password) that resets every 30 seconds.
MFAs are more secure because, although passwords and usernames are susceptible to cyberattacks, the hackers can’t use stolen passwords to gain entry unless they provide the required second form of verification. Lacking that second form of verification behind TOTPs, emails, and phone numbers would make the attack much more difficult to pull off.
If MFA is available, we recommend setting it up on every account you can. Although the method of sending verification codes to your phone or email isn’t 100% foolproof, it’s still much safer than having no safeguards in place. For organizations, we recommend investing in a TOTP application and requiring employees to use it when signing into any business accounts.
Carry around a physical key (password token)
Even if you have all of your digital precautions set up to keep your accounts safe, there’s nothing wrong with taking it to the physical world, too. Along with keeping your complex passwords stored in a database, you can also store them in a physical USB key. We can personally attest for how well physical keys can work. They help save time when signing into our organizational software for the day.
If carrying around a physical key is more your style, we recommend YUBIkey. It has Bluetooth capabilities, can plug into smartphones, and is compatible with any computer that has a USB port (which is basically all of them).
All of your passwords are saved behind the literal push of a button, so you don’t have to remember them all.
Get a Dark Web scan
If you’re in the process of increasing your security and password practices, it’s critical to know if any of your former or current passwords were ever stolen and shared/sold on the dark web. Absconded passwords put your organization at high risk for breaches.
Being at risk for a data breach not only violates the trust you have with your clients, but it can put you at risk for non-compliance with regulations such as HIPAA, CMMC, FINRA, DLPB, and GDPR. How can you be sure you’re hacker-proof right now? You need a Dark Web scan.
Centriworks currently offers a complimentary Dark Web scan using Tor to help companies identify any stolen passwords. We’ll scan the Dark Web to see if we locate any of your passwords being sold to other cybercriminals. If they have, we recommend that you move them to a never-use list. In addition we strongly suggest that you change all of your passwords ASAP to prevent a full-on breach.
Contact us today to learn more about our complimentary Dark Web scan.
— Todd Sheppard, CISSP / Centriworks
We’re ready to help you work smarter and more securely.
For more information on cybersecurity, call Todd Sheppard at (865) 524-1124 or use this contact form.