Your Password Best Practices Primer for 2018 – Part 2
In part one of our Password Best Practices
Primer, we mentioned SplashData’s “Worst Passwords” report, which revealed the top most-used password
for the fourth consecutive year was “123456.” And “password” ranked in second
Chuckling at these lazy password practices
may be entertaining, but the role compromised credentials plays in cybersecurity
is no laughing matter. Per a recent brief by CIODive, as many as 300 billion passwords will be
available for pilfering by 2020, which could lead to as much as $6 trillion
worth of cybercrime.
We reviewed our archive of posts promoting
good password hygiene, as well as a few recent articles on the subject. Part 1
of our Primer covered powerful tips for educating your organization on password
best practices. Look here
for a refresher.
Now, here’s a set of five more powerful
- Recommend passphrases instead of passwords.
Former hackers testify that
single-word passwords are easy to hack. So, instead of just one word, weave
three into the mix like “Secure”, “Cyber” and “Rules.” Because some websites
limit password fields to 16 characters, creating passphrases will take some
creativity. So, make the process fun and engaging by avoiding common phrases
and terms. Among the techniques we saw were pulling lyrics from favorite songs
or lines from beloved books or poems. Of course, these short citations
shouldn’t draw from pop culture but from personal preferences never expressed
on social platforms.
- Discourage defaulting to linked accounts.
This counsel applies mostly
to social apps but comes into play with many business sites, too, such as
digital magazines. If a website offers to use credentials from another account
such as LinkedIn, Facebook or Twitter, opt for creating a new account instead.
Sure, linking credentials is convenient. And yes, good sites ask for your
permission and re-authorization frequently. But this expediency does create
exposure and risk. If any one link in your chain of credentials is breached,
your entire digital presence could be compromised.
- Require multifactor authentication for your
networks and encourage it for personal devices.
combines two or more independent credentials: What the user knows – e.g., a
login and password; what the user has received from a validating authority –
e.g., a security token texted during login; and/or what the user is – e.g., biometric
verification like a fingerprint. Multifactor authentication especially is
important for email accounts, as those applications can become pathways for
hackers to other credentials.
- Research password managers for your staff
and offer recommendations.
We champion a clean-desk
policy to support greater cybersecurity and counsel against writing out
passwords and storing them in any hard or soft format. Many technology
publications review and rate password managers on a regular basis – e.g., this recent article in PC magazine.
Talk to your MSP about the best fit for your organization.
- Include your IT Managed Services Provider (MSP)
in your education process.
Good MSPs track the latest data breaches and continually update their testing
and training programs. Not only can your MSP alert you and your team to
breaches that may affect your business systems and/or your staff’s personal
credentials, but your MSP’s support team can test for compromised files proactively
and provide regular user training to help you stay ahead of the hackers.