CIO approved practices to keep your passwords strong and data secure
In today’s edition of Cyber Security Awareness month, we’re discussing password management and why it’s vital to install a password manager on your browser.
As we discussed in the blog last week, cyber security training should include password training – having a unique, complex password for every account is incredibly important to reduce the risks of losing data in a breach. Today we will review password hygiene and our top three completely free-to-you password managers for the day-to-day user.
First things first: create a strong password (but you should know this by now!)
Many of us (we’re talking to you!) are in the habit of using simple, easy to remember passwords and we likely never change them, because it can be inconvenient. We also tend to reuse our passwords, or variations of the same password for every account. Unfortunately, this can make you, your credentials, and your personal information highly vulnerable to attackers.
Here are a few do’s and don’ts to creating a strong password:
Do’s
- Do use at least 10-12 characters (the more the better)
- Do use a variety of upper and lower-case alpha characters
- Do use at least one number
- Do use at least one special character
- Do use a unique password for every account and device
Don’ts
- Don’t use common knowledge in your passwords such as your name, birthday, phone number, your pet’s name, etc.
- Don’t use common words or phrases
- Don’t use keyboard patterns such as “qwerty”
- Don’t use a password that is too short
- Don’t use a common word spelled backwards
If you follow these basic rules to create a strong password, it should be fairly difficult to steal. However, there are some sneaky tactics attackers use to get your passwords that you should always be aware of such as phishing, credential stuffing, and password spraying – you are much more vulnerable to these attacks if you have a weaker password or don’t practice good password hygiene.
How do stay safe
Always have unique passwords: as we’ve mentioned, your passwords should always be unique for every account and each should have the password criteria we’ve outlined to help keep them out of the hands of attackers. Having a unique password can help protect against common password hacking tactics like credential stuffing and password spraying.
Never give out your credentials via email: phishing attempts may ask you for your password and username because something is “wrong” with your account or they may offer you a prize that requires you to login by clicking a link, however, there will likely never be a legitimate time when you are asked to provide this information over email. Don’t give up your credentials no matter how dire or exciting the situation may seem. If you see an email from a company that you hold an account with and they are asking for this information, always call the organization directly instead.
Use Multi factor authentication whenever possible: multi-factor authentication is a method that requires the user to provide two or more verification factors to login to your account. Typically, your first verification method is your password and the second method could be a personal security question, a code sent by text message, or even a fingerprint. Having multi factor authentication can help keep you safe from many of the common attacks mentioned as just acquiring your password won’t be enough for them to get to into your account. Not every account will give you the option for multi factor authentication, but more and more these days this option is provided, especially for sensitive accounts.
Change passwords regularly: changing your password every few months will help protect you if your password does in fact get compromised. Of course, if you have been notified that one of your passwords has knowingly been compromised, make sure to change it right away. However, if you have been notified via email that your password has been compromised, go directly to the site – do not click on the links in the email or login through the email as this may be a phishing attempt. For many people, this can seem like an onerous task, especially considering how many accounts we all have. This leads us to our final recommendation.
Use a password manager!
Of course, having multiple of unique, complex passwords means you’re likely to forget some of them (or all of them.) Setting up a password manager is the perfect way to manage all your passwords and keep them in your browser and ready to go when you need them. There are many inexpensive (sometimes free!) password managers out there that you can install to help you keep your passwords in check if your workplace has not provided you with an enterprise password manager software. The benefits to using a password manager include:
- You only need to remember one password to login into your password manager and it will store all your other passwords for you.
- Setting up and learning to use a password manager is made extremely easy and in most cases is a very good option to achieve many of the good password hygiene factors we’ve discussed all at once.
- Password managers are installed directly into your browser
- Can be shared with other trusted users to allow for easy multi-access
Although organizations may provide employees with an enterprise password manager to install on their work devices, many consumers don’t have access to these tools (which can sometimes be quite expensive) outside of the office. Thankfully, there are some reliable, free, and readily available password managers out there that are perfect for personal consumer use.
Here’s a list below that our team of technical experts’ trust:
Dashlane: Dashlane will provide you with a free account for one device and unlimited passwords. For just over $3 per month, you can pay to use Dashlane on multiple devices with the added protection of a VPN. In addition to safely storing your passwords, Dashlane will provide alerts about breaches and hacks that could potentially affect your data.
Visit Dashlane here.
LastPass: LastPass provides free access to their password manager that includes one device with unlimited passwords or $3 for their premium access with multiple devices. LastPass includes the option to login “passwordless” using their authenticator app to login through facial recognition, finger prints, and (coming soon) security tokens.
Visit LastPass here.
Bitwarden: Bitwarden provides an open-source password manager with the lowest fee at their premium level. For less than a dollar per month ($10 per year) you can have access to their premium features that include two factor authentication, Bitwarden authenticator, multiple device use and security reports. Of course, you can always use their free version which also includes multiple devices and unlimited passwords.
Visit BitWarden here.
You may be weary to keep all your passwords in one place, using a single password to gain access to all your other passwords – but the benefits of using a password manager far outweigh the risks given the controls that password managers put in place, such as:
- securely encrypting your data
- ensuring cracking your passwords is nearly impossible
In addition, many password managers, such as Dashlane and LastPass, scan the dark web and alert you if your data has been breached. Be sure to use the password manager as intended, with a strong, complex password (as mentioned above) with 2-factor authentication, and you should be safe.
Your key word is “Password Manager”
Take this keyword and comment it on our LinkedIn here for your chance to win one of many prizes!
Interested in Chatting with a Secure Sense Security Professional?
There’s no better time than the present to enlist help for your security needs. Available across Canada, our team of specialists are eager and ready to learn how to become that trusted extension of your security team.
Don’t hesitate to reach out to us at 866-999-7506 or shoot us an email at contactus@securesense.ca.
Secure Sense is the security provider that cares. We are a team of experts with a passion for IT and protecting your organization is what motivates us daily. If you have questions or want to learn more about how we can improve your organization’s security, and our services or just want to chat about security please give us a shout. Follow along throughout the month of October as we discuss all things cybersecurity for Cyber Security Awareness Month.