Password Considerations from an IT Consulting Firm
Passwords, what a hassle right? Which one did I use here, which symbol this time, etc. Hopefully it can become a little easier, but you need to change your thinking about passwords. Let’s start with a great comic that describes complicated passwords with special characters vs. longer ‘passphrases’ and why they’re better:
I find this to be a great primer for what we’re trying to accomplish with our clients with passwords in general.
- Symbols while making it more complex for humans, don’t deter computers from brute forcing the password by much. L0rN4Dun3% is less secure than shortbreadcookiesyum
- Changing passwords regularly sounds good in practice, but because humans often are lazy, your old password Cubs2022! just becomes Cubs2022@ to make the algorithm happy. Not very secure.
Password Best Practices: Multi Factor Authentication
The number one, best way to protect your online accounts is to enable Multi Factor Authentication (MFA). That is, when you sign in for the first time on a new device, you use your smartphone to get a code to complete the login. This proves that the person logging in has something you know (password) and something you physically have (smartphone.) I suggest you turn on MFA for all of your accounts. Here’s an example of someone that’s tech savvy who learned this the hard way. This article is what made me start using MFA everywhere and backing up all of my computers.
Password Best Practices: Password Managers
Thinking about passwords, the password that you don’t know is always the best. (Huh?) That is, passwords generated by a password manager (a bunch of random letters and symbols) are more secure because they never get reused. Popular browsers like Chrome & Firefox have password managers built in, but if not properly secured they aren’t the best. There are commercial ones like LastPass, 1Password, Dashlane, Keeper and Open Source ones, notable BitWarden. Using any of these to generate random passwords and store them for your accounts is better than anything YOU generate. Some users might ask: “What about storing my passwords in a file on my computer?” – Sure, this is a form of password management and can be effective as long as the password file itself is password protected with strong encryption. If the encryption or password can be guessed or brute forced, then it’s not very secure. If that file gets deleted or the hard drive is lost, did you just lose all of your passwords? Make sure it’s backed up!
Password Best Practices: Password Category Separation
In reality though most users don’t use a password manager, so if you’re going to reuse passwords (bad idea), at a minimum you should try to follow these category rules:
- Category 1: Financial Accounts (places that have your money): Use something totally different than other categories for bank, investment, mortgage accounts, etc. MFA should be required by default. If not, turn it on.
- Category 2: Financial-adjacent Accounts (places where you spend your money): Use something completely different than other categories for sites like Amazon, Walmart, Dell, Jimmy John’s, Vistaprint. If you don’t want someone making purchases then either delete the CC that is stored, or turn on MFA.
- Category 3: Non-Financial Important Accounts (social media, doctor’s office): Use a different password than other categories, and turn on MFA. You might think you won’t miss Facebook until you can’t login to it. Turn on MFA to prevent this.
- Category 4: Not Important Accounts (doesn’t fit other categories): Different password than other categories. Sites like PDFConverter.com, Maytag.com,
- Category 5: E-Mail Accounts (most important): Use 1 unique password for your email account and never reuse it anywhere, and turn on MFA.
What do all of those categories mean? Financial accounts are already protected by MFA in most cases. You can tell me your bank password but I still can’t login without getting the code texted to you. Also the financial category passwords are less likely to be leaked because Chase.com is less likely to be hacked than say Reddit.com. Next, if someone gets into your Amazon account and changes your email address and shipping address and starts ordering stuff, that would be pretty bad right? You need to have a different password here than the others, but more importantly, turn on MFA. Tell me your Amazon password and I still can’t login without the code. Social Media, really? Yup. No one wants to re-create their social accounts, or for businesses lose access to that ‘property’ or brand. Social accounts are often used to defraud the victim’s friends or family too: “I’m stuck in Jamaca and my credit cards are turned off! Please send money now! Click here: <link>”. Other accounts you may not really care about, like the library or online forum that you don’t often use must use a different category password here- these accounts are the most frequently compromised. If someone obtains/guesses your Reddit.com password, they can test it at Chase.com, Amazon.com, etc but because you have different passwords for different categories, they can’t get in!
Then comes the last one, the literal keys to the castle: Your email account. “But it’s just email, who cares?” Well, with your email account, I can get in to just about all of the other categories. Logging into your bank and it asks me to enter the code from your phone, I say “I don’t have it”, guess what comes next? They happily offer to send a code to your email. This is true for 95% of all of the websites out there. If I can click ‘forgot password’ and get a link sent to your email, or even defeat your MFA by getting a code sent to your email, then this is the single most important account to protect! Getting access to your email can greatly compromise your online identity.
If you start to employ some or all of these techniques in your work and personal life, you’ll already be more secure than you were. If you have questions about this or need help implementing MFA or a password manager, please reach out and we’ll be happy to help.