It’s Easier than you Think!
Fortifying your information security can be an intimidating task, especially for those of us who are less technologically inclined. Burying your head in the sand and hoping for the best is an alluring strategy, but the risk of a cyberattack is much more frightening than investing time and resources into network protection. Not to worry, getting started is just one step away! Implementing strong password behavior is the easiest way to start protecting yourself and your company against hacking and data theft. However, with frequent expiration dates, minimum lengths, and special character requirements, password management can feel like a system that is working against you. How can you strengthen your password policies to derail attackers without slowing down your team?
Why Care?
Once an attacker has your credentials, they can go exploring for sensitive information like bank numbers or passwords for other accounts. Even if you are careful about storing information on email, the threat of account compromise is greater than data loss. For example, you could be impersonated. Imagine an attacker gains access to your Hotmail, messages your grandmother, and guides her through a bitcoin transaction to an overseas account, all while wearing your email address as a mask. Imagine a malicious actor gets onto the web application you use for work and holds your files for a ransom. Account compromise is a threat to your company and your contacts as well as yourself.
What are they up to?
Brute-forcing and password spraying are two types of automated attacks in which algorithms can either try thousands of passwords against an account or one commonly used password against thousands of accounts. Every 60 milliseconds, an attacker can test a weak password against another user’s account. These automated attack strategies are adapting at a rate that is outpacing password security conventions. You can protect yourself by strengthening your passwords beyond the minimum requirements of the system you are using.
What can users do?
When you think of a strong password, you probably think of a randomly generated combination of letters, numbers, and symbols that would be impossible to guess or even remember. However, you need to consider that potential threats to password security do not think the way you do. They are not human actors, but algorithms trained to test all combinations of characters within the parameters set by the password policy. The key to beating them is to think more like a human. Use a passphrase rather than a password to make your credentials longer and easier to remember. Lengthening your character count exponentially decreases your likelihood of password compromise. ProCircular recommends a 16-character passphrase made up of four short words. For example, “OwlsSingVeryWell” or “MikeSmellsLikeFries” have character lengths that are very difficult for machines to guess without getting locked out of the system. You can also add numbers and special characters to further strengthen your passphrase, “Wh0St0leMyTea?!” or “5:01isPartyTim3!”.
This strategy can also help cut down on password reuse. Passphrases are easier to remember than passwords and can be related to the system without sacrificing security. For example, a password cracking algorithm designed for Facebook is likely programmed to guess “F@c3b00k”, but it is less likely to guess “$0cialMediaIs$0cialMedusa”. Similarly, a Spotify password-cracking bot will probably guess “$p0tify123”, but it won’t guess “Despacit0DeservedAGrammy!”. Using words to create a passphrase with personal significance is an easily memorable way to secure your various accounts.
What can management do?
As an administrator, implementing multi-factor authentication (MFA) is a great way to improve password security without micromanaging your users’ password habits. MFA services, like Duo, follow a password prompt with a secondary verification that calls or texts the user’s phone. An attacker would have to access both the user’s credentials as well as their phone to gain access to the account. MFA protects companies against their employee’s weak passwords or insecure password storage with very little additional training or supervision.
You can also change password expiration to cycles to be annual instead of quarterly to discourage employees from using weak, disposable passwords like “Fall2020!”.
What should everyone do?
As a rule, never store passwords in browsers, an attacker who accesses your machine would be able to extract those passwords and access any of your accounts. Never store passwords in clear text, especially in saved documents or on your email. Never use default credentials. Think about printers, an attacker could look up the default credentials online and clone all print jobs that run through your printer without you even knowing.
Try not to think about passwords as a hindrance, think about them as your partner in keeping your information secure. There are thousands of ways to protect yourself against cyber threats and strong password behavior is a great place to start. Use these tips to get started on your cybersecurity journey!