“Fluffy1”: Bad Password!
Admit it. You’ve done it, too! What’s easier to remember than your dog’s (or cat’s, or kids’, or spouse’s) name when creating a new password? Unfortunately, in today’s world, if you’re using passwords like this, it’s not a matter of if you are going to be the target of a cyber-attack, but when.
Protecting your information and identity, whether personal or business-related, is not something you should take lightly. A compromise of any of your accounts or systems could have catastrophic consequences. As daunting as it may seem, there are some simple steps you can take to make sure you are not a victim.
Let’s start with some things you should NOT do when establishing passwords:
- DON’T: Use common words or names of pets, children, etc. Common names are usually going to be part of lists of passwords that are used by bots for brute-force attacks. Brute force is the attempt to break into a user account by trying thousands (if not millions) of passwords until one works. Also, don’t use dates such as birthdays and anniversaries – especially if you are on social media and announcing these events as they occur. Every bit of information you are sharing about yourself online becomes a potential key to unlocking your accounts.
- DON’T: Increment your password by one digit each month. If you used Fluffy1 last month and you change your password to Fluffy2 this month, you’re asking for trouble. If, for some reason, your password ends up on the dark web it wouldn’t take much guessing to figure out what your current password might be. I’m guessing Fluffy3 would be next in line.
- DON’T: Use the same password for all of your accounts. It seems every week there is a story in the news about servers being hacked and password lists being leaked. Usually, these lists end up on the dark web where they are sold. Let’s say the list is from a social media site where you had an account set up. The first thing a hacker is going to try to do is hit every other social media site looking for matches. Then they’ll try banking, investment, insurance, healthcare and shopping sites with your username and password. If you used the same one on multiple sites, you will be compromised.
- DON’T: As in NEVER, use your business Email as your username for personal accounts. If your personal account information is leaked, you have now exposed your company systems (Intranet, Email servers, Web servers, etc.) to a serious threat. Business executives and managers are prime targets as they tend to have access to the most sensitive data of an organization.
- DON’T: Store your passwords in a plain text format on your computer or cell phone. If you are using Notepad, Word, Excel or some other easily accessed file format to store your passwords, you need to change your system. If your computer or phone is accessed you have now given away all of your passwords. Consider using software specifically designed to securely manage passwords.
So I’ve told you what not to do, what is it you SHOULD be doing? Here are some best practices:
- DO: Use long passwords over complex passwords. There has been a shift taking place in the security community. Complex passwords (Example, 2{e_\xH:A,) that use a mix of upper case, lower case, numbers and symbols are no longer considered the best practice. Instead, longer “passphrases” are now recognized as the best practice.
Passphrases are longer strings of words that are in an uncommon sequence. Keep it long and keep it funky. Avoid using common phrases that are easily found in pop culture (movie quotes, song lyrics, etc.) such as “May the force be with you!”. Instead, use phrases that you can remember but may not make much sense to anyone but you. An example of a good passphrase might be “Total banana mountain unreal $uper gori11a!” Per Kaspersky Labs, it would take 100,000+ centuries to brute-force crack this passphrase. Compare that to 4 minutes to crack “Fluffy1”.
- DO: Use two-factor authentication when offered. Two-factor authentication means in addition to entering your login and password you must also provide another piece of information to log into your account. This extra piece of information may be a PIN, you may need to answer security questions or you may receive a text message or a phone call a number you must type into the site to completely log in. There are a number of two-factor authentication methods – use them when available.
- DO: Evaluate the risk associated with each of your accounts. Not every password requires the same level of security – it’s largely dependent upon how much you’re at risk if the account is compromised. For example, passwords used to access your financial, insurance and healthcare data should be the strongest possible. While passwords used for “free stuff”, food ordering, or weather updates don’t require the same level of security.
Consider breaking your passwords into different tiers. Here’s an example of how that may look.
The threats are out there and the threats are real. From the casual hacker who is buying up password lists on the dark web, to enemy states who are looking to steal Intellectual Property (IP) from businesses. YOUR personal and company credentials are a target. If you have not been following some of these best practices, now’s the time. Get your credentials organized and hardened so you can protect yourself and your company.