Password management is one of the simplest and most important parts of our business and personal lives in today’s connected world, and yet it is so often overlooked or ignored. Every year, there are reports of data breaches in which customer information is exposed to the public. In recent years we’ve had a range of major breaches – names like LinkedIn, Tumblr, Yahoo! and the long-forgotten MySpace. This information has been mined and analysed by companies like Keeper to provide reports on the most commonly-used passwords. It may or may not shock you to learn that “123456” is the “winner” of this list.
So how do you keep your Outlook account safe as well as your Facebook page? Well..
- Don’t rely on passwords alone! This is one of the more important ones. A lot of major sites and applications these days support a technique known as “multi-factor authentication” (or MFA), which requires a code to be entered, along with your username and password, in order to access the site. This code is generated every 30-60 seconds by applications like Google Authenticator. The end result of this is that even if your password is compromised, an attacker will still need access to your mobile device in order to access your account.
- Password complexity is important. I have to mention this one, as it seems a lot of you aren’t getting the message. I’m looking at you, Mr/Mrs “123456”. A strong password will contain a capital, a number and a special symbol (e.g. # $ %), and be at least 8 characters longer (the longer the better!). Try to avoid using actual words – a good technique is to take the first letter of a phrase e.g. The quick brown fox jumps over the lazy dog will become Tqbfjotld.
- Avoid using common passwords. This seems obvious, but “123456” just isn’t secure. Even variations on common passwords should be avoided – things like P@ssw0rd aren’t secure either.
- Change your damn password. Another common pitfall is to keep the same password forever, if your service allows it. This is a big no-no, and you should change your password every 90 days or so. Is this annoying? Sure. But so is dealing with the bank after $5000 has been stolen because you’ve been using the same password for everything since the Internet was invented.
- Avoid putting all your eggs in one basket. I have 2 points to make here – the first is that you should try to avoid using the same password for multiple sites, as this can allow attackers who have compromised one account to access others, which in turn may provide them with sufficient information to launch a social engineering attack on a 3rd service (like your bank!). The unfortunate result of this is that you will end up with a number of passwords, which can be difficult to remember. This in turn will likely result in you turning to a service like LastPass (which, by the way, was breached in 2015). It’s best to avoid keeping all your passwords in one place like this – instead, try to separate them out into multiple places to minimise risk.
- Don’t email your password! This is something that still tends to surprise people, but the email we use today is still based on the technology that came into play 30 years ago, and is inherently insecure. You should avoid sending passwords in email wherever possible, and if you absolutely MUST, then at least separate the username, password, and what they’re used for into multiple methods of communication (e.g. email the username, and send the password via text).
If you follow these tips, you’ve taken several steps towards making your personal and business information secure.
If you are looking for some recommendations on how to improve your business’ security get in touch today! Want to learn more?
Contact us to discuss how Starboard IT can help protect your business against loss of money, data and reputation.