As more and more of our personal and professional lives move online, the number of accounts and passwords we need to access various services also grows. Despite the ubiquity of these login credentials, individuals and firms continue to set weak passwords or use the same passwords across multiple sites, among other bad practices.
For example, we celebrated Safer Internet Day earlier this month, and while the campaign itself has ended, some related lessons linger. Google participated in Safer Internet Day by releasing a report with some startling statistics on the state of password management. It found that 65% of people reused the same password on multiple sites. Half of respondents kept track of passwords on paper, 61% wished for a better way to track multiple passwords, and less than a quarter of people reported using a password manager.
And this, unfortunately, put us all at a bit of risk, especially as cybersecurity remains a major concern for today’s businesses. The solution lies in better password management. This post will look at why password management has become so important for businesses and what five steps you can take today to take charge of your password practices.
Tips for Effective Password Management
1) Go Long, Go Long!
With passwords, a good rule of thumb is that length matters more than complexity. Our suggestion is to create passwords that are at least 12 to 15 characters in length. This makes it harder for hackers to force or guess your password. While it’s unfortunately true that NO password, no matter how long, is immune to discovery, nefarious actors will often attack shorter passwords first. Remember that hackers and cybercriminals aren’t necessarily “guessing” your password but rather are trying to steal access to it via phishing attacks, brute force, or through vulnerable systems like databases.
Further complicating things is that password requirements vary from one platform to another, even within your firm. Some services have minimum password length requirements, others don’t. Some services do not allow you to copy and paste a password, others do. And some services require that you regularly update your password, and -- you guessed it -- others don’t. It can be hard to develop good password behaviors with so much variance out there.
If you’re guilty of setting too-short passwords, you’re not alone. In an interesting post, a technology blogger surveyed 15 major websites to see how each approached minimum password lengths. While the survey was done one year ago and requirements may have since changed, it found that the most prevalent minimum character count was just six characters! Only four of the 15 sites required a minimum of eight characters.
UPDATE: There is some movement in the U.S. toward better password length policies. The National Institute for Standards and Technology (NIST) is developing guidelines to be used in the U.S. government sector that requires a minimum of eight characters.
2) Don’t Reuse Passwords
Another tip is to avoid reusing passwords across multiple accounts. If you do, you risk having all of your accounts hacked if just one is compromised. This could include access to personal or professional social networking sites, HR or accounting systems, emails, and legal case management platforms, among many others.
Have you heard of the recent data dump called “Collection #1”? It included over 21 million unique passwords, all of which were available for download by potentially nefarious actors to attempt to access multiple popular services. According to a Forbes article about the breach, the bottom line is that “the more places a password is used, the more likely those threat actors will succeed in accessing and taking over your account.
A common refrain for not creating multiple passwords is that it can be difficult to remember all of them. We get it! But it’s a worthwhile practice, and there are tools available to help you, outside of Post-It notes, which we do not recommend. Using a password manager, for example, can make it easier to create unique passwords and keep track of them across multiple accounts. Which is a nice segue to our next tip.
3) Use a Password Manager
A popular tool to help secure yourself and your data is a good password manager. In IT, password management refers to the ability to centrally manage and store passwords within an online “password vault.” The password manager is an application that stores and organizes information like usernames and passwords that you and your team rely on to log in to various websites and applications.
A good password manager creates strong, unique passwords for all of your accounts and syncs them across multiple devices. For you and your firm, this means no more memorizing long passwords. It also means that your data will be more secure in the event any employee gets hacked.
Today, there are numerous options to choose from, such as MyGlue. MyGlue is a robust documentation software that helps firms like yours standardize client and internal information, including automatically monitoring and storing passwords and certificates. It also tracks who is accessing and changing information and retains version history. Right now, IT Glue has over 60,000 daily users in 30 countries!
4) Consider a Passphrase
If you decide not to utilize a password manager, the next best tactic for effective password management is to opt for a passphrase over a password. As the name implies, a passphrase is longer than a password and typically contains spaces between words and letters. Password Dragon suggests five reasons why a passphrase may be better than a password in today’s digital environment:
Passphrases are typically easier to remember than long passwords.
Passwords can be relatively easy to guess or crack, compared with a strong passphrase.
Passphrases typically meet stringent password rules, such as length, complexity, punctuation, and use of upper and lower cases.
Major operating systems and applications generally all support passphrases.
Passphrases are hard to crack; most password cracking tools require less than 10 characters.
A University of Chicago IT Services portal suggests that secure passphrases should be at least 19 characters in length with punctuation and spacing between words. Create something that is memorable to you, but don’t use well-known sayings or lyrics that are widely recognized, as these can be easy to crack.
5) Use Two-Factor Authentication
Cybercriminals today are continually developing new and increasingly sophisticated tactics to compromise personal and business data. Sometimes, even a strong password does not provide enough security to mitigate the risks of a breach. One solution is to add an extra layer of security in your firm via two-factor authentication.
Two-factor authentication, or 2FA, supplements the traditional username plus password approach with a code that is unique to a specific individual. Essentially, 2FA asks users to prove who they say they are though both a password and a unique code. An Android Central article summarizes it well: “Two-factor authentication means that you need to present two different things from two different sources that prove who you are.” Nefarious actors would need access to both a physical device and a virtual password, making intrusion more challenging.
Often, these 2FA codes are locally generated and delivered to a user’s device via a voice call, an SMS text message, a secure email, or through an app. Google Authenticator, for example, provides another layer of security for phones and Google accounts by generating and asking for a second code verification to sign in.
It’s complex, but important.
As you can see, even among these five tips there is not always clear consensus or established best practices within a firm. Should I use 8 or 10 characters in a password? Should I set up 2FA? It can be confusing. Using a decent password manager is a great, robust solution. With a proper password manager, you’ll have a clear and accurate record of who accesses what password and when, which will help you track and thwart potentially dangerous activity. Password managers can help mitigate cyber attacks, drive efficiencies in the workplace, and improve your overall processes and best practices. For more, see this earlier post on the four benefits of using a password manager.
For all of these reasons, we’re excited to announce that we’re partnering with MyGlue to offer you full integration and set-up, training, and ongoing technical support for a high-quality and popular password management tool.
We’d like to hear more about your firm and your password management practices to see if MyGlue or another solution can help you improve your security and efficiency. We know there is no one-size-fits all solution, which is why we take a tailored approach to every single IT project we take on. We’ll work with you to understand your internal and external factors, asses your options, and plot a course through the complexities to deliver a solution that helps you take charge of your password practices.
Please get in touch with our experts today for a free consultation!