If you read the post title you already know what we are talking about, passwords. These days more and more of our lives are spent online and we rely heavily on passwords to confirm our identities. Everything from your social media accounts to your bank account requires a password and if you’re not practicing good password security you could be in serious trouble. The three main aspects of a good password policy are as follows:
- Change your passwords often
- Never use the same password in more than one location
- Use complex passwords
Let’s break these down and address them individually.
1. Change your passwords often
What does this mean? It seems simple enough but what does “often” really mean? Some IT departments require you to change your password every 2-3 months. Some people have been using the same password for 10 years and don’t see any need to change. You may be wondering why this is important in the first place. If you’re following rule 2 you may be wondering why you need to change your password at all. Should someone figure out your password for a particular site it won’t effect anything else so what’s the big deal?
The reasons are two-fold. On the one hand just because a service was compromised doesn’t mean your password was… right away. Companies should be salting and hashing passwords, which is another way of saying “adding extra data to the password and then scrambling in a way that can’t be reversed.” Typically that means even if someone steals the passwords out of a database, they’re unusable. When you log in, the company can check that your password matches the stored scrambled version—but they can’t “work backward” from the database and determine your password. As we found out in recent attacks on Google, Facebook, and others, not everyone is protecting your password, many large companies are still storing your password in plain text. Sometimes a company will do everything right when initially storing your password. And then add new features that cause problems. Besides Facebook, Robinhood, Github, and Twitter accidentally logged plain text passwords. In the case of Facebook and Robinhood, when users provided their username and password to sign in, the logging function could see and record the usernames and passwords as they were typed. It then stored those logs elsewhere. Anyone who had access to those logs had everything they need to take over an account.
Secondly, the attacker may have access to your account but not do anything to let you know it. Perhaps they gained access to your e-mail account but don’t send out any e-mails or change your settings, they just use it to send password resets forms from your bank for example. You may think that changing your password 4-6 times is over kill and in some cases it is, we recommend changing passwords at the very least once or twice a year.
2. Never use the same password in more than one location
This may seems obvious, but it’s amazing how many people pick one password and decide to use it for everything. Or maybe they have a handful that they switch between. The reason this is so important is because the reality is security breaches happen. Just look at the news this past year. A giant company like Facebook was compromised. If you were using the same password to log in Facebook that you do to manage your bank just think about the consequences.
We know trying to keep track of multiple passwords for multiple sites can be difficult, but the security it will provide you online is worth the extra effort, the reality is security breaches happen. There are several password management systems available, many at no or minmal cost: KeePass, LastPass, PassPack and 1Password to name a few that will securely store your passwords. All you will need to remember is one password to get you into your password management system where all your passwords are securely and safely stored. Many people keep a list in a word or excel document, that will work also but do not save the file on your computer. Print out your cheat sheet, save it in a safe place and if you have to save the file save it on a thumb drive that only you use and don’t leave it plugged into your computer.
3. Use complex passwords
This particular pillar of the password trinity has been under recent debate. Some security experts believe too much emphasis has been placed on “complex”. Complex has generally been defined as “a minimum of 8 characters including numbers an letters.” Some sources will also add a distinction between upper and lower case letters, and/or include special characters (i.e., $*@&). The debate can best be illustrated in this xkcd comic
So basically using “JKL@!*FJ$” for a password would be technically less secure than “turkeymexicopassword”. Of course we use the word technically with some qualifier. Many brute force scripts have several options when dealing with word lists. They can mangle the words or combine words so it could still be faster to crack. We stick with a minimum of 10 characters including upper and lowercase letters, numbers and special characters. Of course, there’s no way we could remember all that which is why here at Pro Web Marketing we use PassPack to manage our passwords largely because they make it easy to share the passwords with clients which is one of its main features and we know they provide a high level of security for us and our clients.
There you have it, you should really think about either switching to a password manager or updating the passwords in yours.