Your Password Best Practices Primer for 2018 – Part 2

2/6/2018

password 123In part one of our Password Best Practices Primer, we mentioned SplashData’s “Worst Passwords” report, which revealed the top most-used password for the fourth consecutive year was “123456.” And “password” ranked in second place.

Chuckling at these lazy password practices may be entertaining, but the role compromised credentials plays in cybersecurity is no laughing matter. Per a recent brief by CIODive, as many as 300 billion passwords will be available for pilfering by 2020, which could lead to as much as $6 trillion worth of cybercrime.

We reviewed our archive of posts promoting good password hygiene, as well as a few recent articles on the subject. Part 1 of our Primer covered powerful tips for educating your organization on password best practices. Look here for a refresher.

Now, here’s a set of five more powerful password techniques:

  1. Recommend passphrases instead of passwords.
    Former hackers testify that single-word passwords are easy to hack. So, instead of just one word, weave three into the mix like “Secure”, “Cyber” and “Rules.” Because some websites limit password fields to 16 characters, creating passphrases will take some creativity. So, make the process fun and engaging by avoiding common phrases and terms. Among the techniques we saw were pulling lyrics from favorite songs or lines from beloved books or poems. Of course, these short citations shouldn’t draw from pop culture but from personal preferences never expressed on social platforms.
  2. Discourage defaulting to linked accounts.
    This counsel applies mostly to social apps but comes into play with many business sites, too, such as digital magazines. If a website offers to use credentials from another account such as LinkedIn, Facebook or Twitter, opt for creating a new account instead. Sure, linking credentials is convenient. And yes, good sites ask for your permission and re-authorization frequently. But this expediency does create exposure and risk. If any one link in your chain of credentials is breached, your entire digital presence could be compromised.
  3. Require multifactor authentication for your networks and encourage it for personal devices.
    Multifactor authentication combines two or more independent credentials: What the user knows – e.g., a login and password; what the user has received from a validating authority – e.g., a security token texted during login; and/or what the user is – e.g., biometric verification like a fingerprint. Multifactor authentication especially is important for email accounts, as those applications can become pathways for hackers to other credentials.
  4. Research password managers for your staff and offer recommendations.
    We champion a clean-desk policy to support greater cybersecurity and counsel against writing out passwords and storing them in any hard or soft format. Many technology publications review and rate password managers on a regular basis – e.g., this recent article in PC magazine. Talk to your MSP about the best fit for your organization.
  5. Include your IT Managed Services Provider (MSP) in your education process.
    Good MSPs track the latest data breaches and continually update their testing and training programs. Not only can your MSP alert you and your team to breaches that may affect your business systems and/or your staff’s personal credentials, but your MSP’s support team can test for compromised files proactively and provide regular user training to help you stay ahead of the hackers.