Working remotely and accessing often-sensitive business systems over the internet is a new experience for many businesses and workers. And for many, forced on them far more quickly than was comfortable or could be thoroughly planned. This new reality comes with an expanded threat from cybercriminals. Now given brand new ways to access your sensitive data and a newfound desperation for quick and easy scores.
Digital security starts with the basics and passwords are as basic as it gets. While often alluring to use simple, short, easy passwords to simplify your busy day, this can come at surprising cost. It often only takes one weak link for a criminal to get into your network and hold it for ransom. Don’t think this threat goes away as soon as you return to the office. It’s ever-present for your cloud and online accounts and as long as you maintain the ability for remote work. That same capability remains available to the bad guys too. Here’s what all of your employees need to do to ensure bad passwords aren’t that weak link.
Password Security: Uniqueness
Most important to password security is the uniqueness of your password. This primarily means not using the same password in multiple places, and not using the same passwords everyone else is using. It is vital that default passwords get changed. Avoiding reuse is important because it is significantly easier to recover or guess your password from a service that has been hacked – literally millions of times faster or more.
Do not assume you are safe because you used a different username or email address. Hackers are clever, and we all have large digital footprints making it easy to link our online presence. Lastly, avoid the list of the most common passwords: such as “P@ssw0rd” in all its forms, “secret”, “123456”, and frankly anything under 8 characters that is not total gibberish. No amount of special character substitution can save those passwords. When using passphrases, be wary of using unmodified quotes, verses or lyrics as passwords. This is subject to similar problems as common passwords. This gets worse the more popular the source material.
Password Security: Length
Almost as important is the length of passwords. When passwords are long enough almost nothing else matters. 12 characters is sufficient to give attackers pause, but is still too short for important accounts. There is rarely an excuse for using shorter passwords on any service that needs passwords in the first place.
Passwords over 16 characters, or passphrases with 6+ words will be somewhat difficult to recover or guess even if the service they are used on is compromised. We recommend businesses consider 16 characters the bare minimum across all employees and all important accounts. It is hard to overstate the benefit of making the password longer. Every time you add a character you make the password about 50 times stronger. That means a 16-character password is over a million times stronger than the 12 characters. Adding another four characters (20) is a further million times stronger than that.
Mind you, tell someone to remember several hundred long passwords and they’ll look at you like you’ve grown a second head. The best answer without resorting to weak passwords or superhuman feats of recall are password managers. These are useful tools that can do most of the work for us. While a password manager will not let you forget all your passwords, it’s perfectly reasonable to get it down to only a handful you need to remember. I have less than 10 I need to remember. The right tool makes it easier to enter and use a random 60-character password than it is to remember and type those awful 8-character passwords from earlier.
We highly recommend LastPass and have used it ourselves for years. Configured with a strong password and multifactor authentication it can be a major upgrade to your password game. A good password manager allows easy access to all your passwords and syncs across all your devices. LastPass provides a password generator to easily create and save long random passwords for every account. It also enables easy sharing and updating common passwords and secrets with the rest of your business when needed.
Avoid using the password managers built into Chrome and Windows. They do very little to stop attackers from stealing passwords from the password manager itself. A specialized tool will provide a substantially better (and more secure) user experience.
Password Security: Obsolete Guidance
Security practitioners have been trying to get people to make better passwords since as long as there’s been passwords. Some bits of advice have aged better than others. We will be diving deeper into obsolete guidance in a future blog post. Password complexity and frequent password changes have traditionally been over emphasized and can take a backseat to the guidance above.