October is Cybersecurity Awareness Month. This year’s theme is Own IT. Secure IT. Protect IT. Cyberattacks are on the increase, and many of them target individuals as an easy access point to company information systems. One of the first steps we all can take to secure our personal information and the information of our companies and clients is to use stronger passwords.
Creating complicated passwords and changing them regularly may seem like a hassle, but it’s nothing compared to the problems that arise from a data breach! With that in mind, here are some suggestions for building stronger passwords.
Know what makes a strong password.
Fun fact: There’s no definitive rule for what constitutes a strong password. Even the National Institute of Standards and Technology (NIST) offers only general guidelines. Commonly requirements include:
- At least 8 characters long
- Uses a combination of uppercase and lowercase letters
- Contain a digit
- Includes a special character
Less common, but very beneficial, additional requirements may include:
- No character may repeat more than 3 times
- Not used previously by the user
- Not used previously on the system
- Does not appear in a dictionary
- Does not appear on lists of previously compromised passwords
Remember, too, that what constitutes a “strong” password changes over time.
Keep it private.
Even the best password isn’t much protection if lots of people know what it is. The stereotypical example of breaking this bad practice is keeping your password written on a sticky note on or by your computer or device. (It even appeared as a plot point in the popular 2018 sci-fi film Ready Player One.)
Not having your password written down in plain view is pretty obvious, but there are lots of other ways that privacy gets breached. For example:
- Shared credentials for shared applications
- Managers/supervisors having access to team members’ passwords, “for emergencies”
- Keeping passwords on unsecured lists
It’s always more secure for each user to have his/her own credentials for every application. Additionally, only approved IT personnel should be able to access an employee’s credentials. (This is for the protection of the manager or supervisor as much as the employee and the company!)
Avoid patterns/reusing old passwords.
Human brains evolved to find patterns. That means we’re truly awful at trying to be “random.” Still, you can avoid falling into obvious patterns as a shortcut in creating your passwords. For example:
- Using the same “stem” and adding a few characters to make it “new” (e.g. logmein-spring2019, logmein-summer2019)
- Shuffling the same elements around (e.g. bluecatpizza333, catbluepizza333, pizzablue333cat)
Using such similar passwords means that if your credentials are compromised on one site or application, your entire online world instantly becomes highly vulnerable.
A similar issue involves reusing passwords. In her terrific TED talk What’s wrong with your pa$$word?, privacy and security researcher Lorrie Faith Cranor explains that reusing passwords is even worse for security than writing them down!
Many systems prohibit reuse, either for a certain period of time or ever again. The bad practices mentioned above are two ways to try to get around these bans. Another is what I call precession: the password for application A gets re-used for application B, B’s gets re-used for application C, etc.
Watch your social media content.
Whether it’s choosing elements for your password or selecting answers for security question prompts, it’s natural to turn to the familiar. Nowadays, however, social media means that things and people that are meaningful and memorable for us as individuals are also out there for the whole world to see.
So if your Facebook account is full of pictures of you and your fur-babies (identified by name, of course), don’t use your pet’s names or breeds as password components. The same goes for family members, sports teams, favorite movie and TV characters, song titles, etc.
Also, be aware that cybercriminals can use the information you post to impersonate you in phishing attacks, especially information about your travel schedule.
Don’t let your browser remember passwords for you.
Okay, we all do it. It’s so useful to let your favorite browser remember your login id and password. But it’s a serious security risk! A better choice is to use a password manager. There are lots of options — many of them free. Some managers also help you generate strong passwords or store personal data used to auto-fill online forms. With a manager, you only need to remember one strong password, no matter how many websites, applications or online accounts you use. Most managers also offer two-factor authentication, which further enhances security.
It’s an old truism in IT that people are an information system’s greatest vulnerability. By using strong passwords you help ensure that you won’t be the weakest link in your company’s cyber defenses. Stay safe!
A version of this article appeared previously on my LinkedIn account on February 6, 2019.