How Secure is Your Password? First Steps to Safeguarding Your Data

From spear-phishing schemes to cyber extortion plots, cybercriminals are reaching new levels of sophistication in their attempts to confiscate sensitive material, commit identity theft, or access funds

We've trained ourselves to be more aware of these elaborate cybersecurity schemes, but we often forget that the gateway to much of our information is only secured by one extremely simple and vulnerable feature: a memorized secret authenticator, otherwise known as a password.

Whether you’re safeguarding your work PC or personal mobile device, password security is the first and arguably most important step you can take to protect your company's sensitive information and prevent a data breach.

Unfortunately, users often don’t put the necessary effort into creating a strong, secure password, thereby leaving that sensitive information in peril and potentially easily accessed by intelligent hackers.

Creating secure passwords

Strong password creation may sound like a simple task, but it isn't, especially in today’s security-heightened marketplace. Far too many users make the same mistakes over and over by reusing passwords, failing to create a unique password for each new login, or — possibly the most cliche habit of all — using their pet's name as their password.

How can you develop good password hygiene and reduce the chances of an attacker being able to successfully engineer a security breach? Knowing what a secure password looks like and how to create one is a good place to start.

It's worth noting that the National Institute of Standards and Technology (NIST) has updated its password guidelines in accordance with new research. All U.S. government agencies are required to follow NIST password guidelines, and most other organizations can benefit from following suit.

NIST-approved recommendations for password security include:

Use longer passwords

Passwords should be at least eight characters in length (although some sites may allow a six-character password if the password is created using a random password generator) and may be as long as 64 characters. A long password is statistically less likely to be hacked, as are generated passwords. An alphanumerical combination is advised, with the inclusion of both upper and lowercase letter values as well as special symbols.

Don't use hints or specific prompts

Allowing users to ask for a hint or answer a specific type of security question can quickly lead to a compromised password. A hacker can glean personal information through social engineering, and then guess a password for an online account with the help of preset hints or questions.

Avoid using a standalone dictionary word

Single-word passwords can be hacked in a brute force attack known as a dictionary attack by using a program to run through every word from the dictionary. However, you can use a string of dictionary words to create a complex password known as a passphrase. Four or five words is the suggested minimum for a passphrase.

Avoid using obvious or repetitive passwords

Don't repeat the same letter or number as your password (such as "aaaaaaa" or "5555555") Also don't use words that are derivatives of the platform or tool name, such as "Facebook.99" for your Facebook password or "BankOne@5" for your bank account login.

Never use blacklisted passwords

Multiple passwords have been hacked (breach corpus) because they are so common. These include "password," "administrator," "12345678" and so on. Using one of these previously stolen passwords as part of your login credentials nearly ensures you'll be hacked, leaving your private data exposed.

Additional password guidelines

In addition to following these guidelines and training employees to do the same, consider implementing a password policy that requires users to accept random strings of letters and numbers from a secure password generator and encouraging the use of a password management system.

Use a password manager or vault

A password manager helps you create a new secure password for every site you visit that requires a login. It stores all of your passwords for you and can generate and remember new ones whenever needed.

A password vault can also allow you to store other types of data in a secure form such as credit card numbers or other secure data. All of the data you store is encrypted with your master password, so you only have a single password that you absolutely have to memorize.

As long as you make your master password strong and store a copy of it someplace completely secure, like an actual bank vault, you can have peace of mind.

Another benefit of using a password manager is that it won't fill out account information into websites if it doesn't recognize and verify the web address. This can help protect you against phishing attempts.

For example, if you visit a bank or utility website and your password manager doesn't automatically fill in all of your login information, it's possible that you're on a phishing website with a slightly different URL.

This can happen if hackers buy a domain that is similar but with a typo, and squat on it to mirror the real website. If they send you an email with a warning message that you need to login immediately or that you need to change your password, they can trick you into entering your information.

Use a password strength checker

If using a vault just isn't possible, use a password strength checker, and make sure users can paste into the password field and see their new password on safe screens or mobile before it is encrypted. The password checker can help mitigate the use of weak passwords.

Don't reuse passwords

Use a different password for each portal/access point. If you use the same password on multiple accounts, you give hackers more opportunities to access your critical information.

If the same password is used to protect your online banking information, airline reservation booking and retail accounts, for example, a bad actor could easily leave your personal finances in shambles. 

Of course, if you have crafted unique passwords of at least eight, diverse characters for each of the domains/sites/devices you utilize, you may be thinking "How on earth can I expect to remember all of those different password combinations?"

If your memory isn't up to the task of storing multiple logins, don't fall prey to the temptation to write all of your logins on a piece of paper or a sticky note, or type them into a document and save it on your computer. This will give hackers easy access to your passwords.

Instead, consider a password management tool like those described above to help you control access. Make sure that your master password is unique, or you could find out that a hacker broke a single code to gain access to all the rest.

Don't force complexity

Be prepared for password change requirements, but don't push for frequent changes unless it's absolutely necessary. Every 90 days is a reasonable minimum limit for routine password changes.

Making users change their passwords monthly just leads to poor password hygiene, as many users will simply change a single digit at the end to create their "new" password.

Implement two factor authentication

Finally, embrace two factor authentication. This helps protect hackers from using stolen passwords or login credentials by adding an extra layer of security.

The most common type of two factor authentication is combining something you know — a password or passphrase — with something you have — typically a device that can receive a code that can be used as an additional one-time password.

By following these password guidelines, you can create strong passwords and increase your data security.

For more information on how to improve cybersecurity across your network, contact us today. You can also visit our Cybersecurity Resource Center for more cybersecurity related resources.