Did you know one of the easiest vulnerabilities for a cybercriminal to target when infiltrating your system is your password? 81% of 2021 US data breaches were caused by weak passwords with high credentials according to the Verizon 2021 Data Breach Investigation Report (DBIR). They’re a common human error, but the reason we do it is simple– we don’t want to carry around an ever-extending list of passwords, we want to log in as fast as possible off memory alone.
It’s an understandable way to make our days a little easier, but the risk you pose by not properly securing your passwords is far greater than a slight delay in logging in. Thankfully, there are much easier ways to have strong, secure passwords at your disposal without having to write them all down on a sticky note. As we observe May 5th, Password Day, here are some of our recommendations for keeping your account safe.
Short and sweet isn’t going to cut it. Hackers love short and sweet because it’s so easy to crack!
Think bigger. Your passwords need to be different from one another, but also longer. We recommend 12 characters at a minimum, but you can go longer than that if the system allows for it. In addition, although you’ll read that a completely random concatenation of special characters numbers and letters is the most solid form of protection, it’s probably not the easiest to remember.
Instead of nonsense passwords, we recommend thinking with nonsense phrases.
Try using 3-4 unrelated phrases that have no personal meaning to you, then add in special characters and numbers.
Instead of being overwhelmed by the usual kerfuffle of a randomly generated password, you have some sense of familiarity, and it will be easier to remember the next time you log in.
MFA (Multifactor Authentication)
We can’t stress enough how much MFA safeguards your account information.
MFA is a login protective measure that requires an extra step after inputting a password, like a verification code texted to your phone, a secondary password sent to your email, or, for businesses, a randomly generated TOTP (timed one-time password) that resets anywhere from 30 to 60 seconds.
It’s better to have MFA enabled because, although passwords and username combinations are always at risk of being cracked by experienced cybercriminals, they wouldn’t be able to proceed with accessing your account information unless they have the second form of verification. Locking that second form of verification behind TOTPs, emails, and phone numbers can halt a potential cybercriminal’s attack and protect your PII (Personal Identifiable Information).
Set up MFA on every account you can if there’s an option for it. MFA isn’t completely solid, although nothing is, but it’s better to have as many safeguards as possible when protecting your account than nothing at all. For small-to-medium-sized businesses, a TOTP application for all of your employees is worth the investment.
If you have a lot of accounts and passwords to keep track of, it’s worth it to get a password manager.
And no, we don’t mean storing it in a browser. In fact, we highly recommend storing that information behind a browser keychain. Keeping login information behind the thin veil of protection a browser storage can offer basically opens the door right open for cybercriminals.
A password manager is designed to store and manage all of your password information in a heavily encrypted database, stored securely behind a final master password. Some password managers can generate complex passwords for you if you’re unsure what your next password should be using a computer-generated randomizer.
There are different kinds of password organizers depending on if you’re using it for personal or business purposes. When choosing a password manager, be thorough. Research if there’s been any recent breaches at the responsible company (since it’s their servers they’re keeping your passwords on), and make sure they’re fully transparent in all of the information they provide.
You don’t want to entrust your passwords to just anyone.
What if I don’t want to use passwords at all?
The odds are in your favor– the modern tech world is currently leaning towards that future. In fact, larger companies such as Microsoft are actively taking on measures to allow their employees to access their system without the need for a password.
Along with MFA and physical USB keys, many companies are exploring options such as facial recognition and fingerprints as login credentials. These are currently imperfect options because, as it stands, this can also potentially expose your biometric data to cybercriminals if they were to find a vulnerability in the system and access your account.
As we race steadfast into a high-tech world, there’s nothing wrong with exploring alternative options if they are available, but until a password-less future is deemed safe for us to move into, securing your current password strings is your best bet.
Want to learn more about securing your organization’s passwords with more advanced options?