Updated: Feb 26, 2020
How secure are your password practices? Weak passwords and policies represent an enormous security risk.
Passwords are a cornerstone of digital and network security. They always have been. Yet they also represent the one of the most significant cybersecurity threats facing your organization.
In its 2019 Data Breach Investigations Report, telecommunications company Verizon found that 80 percent of hacking-related data breaches and 29 percent of all breaches are in some way linked to passwords.
This could mean using credentials stolen via phishing. It could involve using passwords from other compromised services. Or it could mean simply breaking in with brute force.
The only thing the above tactics have in common is that all are preventable. The first step is to understand what constitutes a strong password and good password practices. The second is to add an extra layer of protection with password management and multifactor authentication through software like LastPass.
What makes a password secure?
There are several criteria that come into play when measuring password strength:
Length. 8-12+ characters.
Complexity. Avoid common words and patterns like ‘password,’ ‘qwerty,’ or ‘123456’. Include upper-case and lower-case letters as well as both numbers and symbols.
Neutrality. Avoid personally identifiable information such as names, places, and dates.
Memorability. Doesn’t require several hours of memorization to recall. A completely random string of characters is arguably the most secure. However, it’s also near-impossible to remember. Instead, we recommend the following approach:
Use a passphrase generator to create a random string of words, such as sixtieth bovine task carnation. Many password generators include a tool that allows you to do this.
As an optional second step, weave in capital letters, symbols, and numbers at your discretion.
Memorize your passphrase through a mnemonic device – for example, the sixtieth’s bovine’s task is to bring carnations.
Poor password hygiene puts
everyone at risk
Even a strong password can be undermined by bad habits. Most people have at least a few in their personal lives. These tendencies can carry over to the workplace, putting your business at risk:
Password reuse. Using the same few passwords across multiple services means a hacker only needs to break into one account to gain access to everything else.
Writing passwords down. A post-it note on a computer screen might seem innocuous, but it’s the password equivalent of leaving your credit card unattended at a restaurant. All it takes is the wrong person seeing it, and you’re compromised.
Sharing. Giving someone else your login credentials is rarely a good idea, and makes it far more difficult for your business to control access to sensitive materials.
No Two-Factor Authentication. Two-factor authentication adds an extra layer of protection, ensuring a user is who they say they are upon login.
SMS-based 2FA. Text messages are easy to hijack, and have been involved in several high-profile data breaches. SMS-based 2FA is better than nothing, but not as good as a token-based or app-based authenticator.
Using public Wi-Fi. Most public wireless networks are poorly-secured, and information sent and received over them can be hijacked – including passwords.
Never changing your password. Passwords should be changed at least every three months.
Carelessness with devices. Don’t leave any device unattended in a public place, and ensure your business has a way to remotely wipe compromised hardware.
Why everyone should be using
a password manager
As the volume of sites, software, and services in our lives has increased, it’s become impossible to create a strong password for each of them. Not without help. There are simply too many.
It’s not possible to create a strong password for every single website, app, or service. Not without help. There are simply too many.
That’s why Wappo recommends all our clients use a password manager – we use LastPass ourselves, but there are many other options that achieve the same end.
With a password manager, the only thing you need to remember is a single master password. Logins for your other accounts are all locked behind that password. In the case of LastPass, the software also includes a built-in authenticator, controls for managing users, policies, and reporting, and the ability to link work and personal accounts.
Passwords have been around for decades, and it’s unlikely they’ll go away anytime soon. But their prevalence doesn’t need to put you at risk. By understanding best practices and leveraging a password manager, you can protect not only your business, but your personal life as well.