Your data is the most valuable asset you possess. For that reason, it must be protected. One of the simplest ways to protect data is to forbid anyone from accessing it, unless they are authorized to do so. How do you ensure nobody gets their hands on something they should not have? Many ways exist to do this, but one of the simplest is a good password. In this article, we’ll review best practices to creating strong passwords and how to keep them secure.
Passwords: A Necessary Evil
Every single hour of every single day, hackers, phishers, and other digital hooligans are attempting to steal your data. Corporate enterprises like banks, hospitals, financial firms, Internet providers, have all suffered significant data security breaches—and often, when such breaches occur, it is because someone was using a simple, uncomplicated, easy-to-guess password for their account; this is what happens when people want convenience instead of security.
This is not a hypothetical! Large institutions have had millions of dollars ransomed away because of unenforced password policy, bad passwords generally, or users who helpfully keep their passwords written down on sticky notes taped to their computer screens.
Let’s talk about how to make a good password.
Tips for Making Passwords that Pass the Test
According to security.org, 38% of Americans report having at least one of their passwords cracked or guessed. So, what makes a password “good” can be answered with two questions: How hard is it to guess? And, how hard is it to crack open? Consider the below passwords:
- A: S1gn8Ts#%9dso@f8725%4
- B: _&4#89HTuWv^6#9(
- C: @1399KindredSalientHobby!$
These passwords will pass any password strength evaluation because they follow some or all of these guidelines:
- They’re long – the longer your password, the harder it is to guess.
- They have a strong variety of characters: 1 or 2 numbers, $peci@l characters, And Some Upper Case, Too.
- They combine different unrelated words – and use a phrase paired with numbers and a few symbols
A good password will be complicated, lengthy, using a mix of capitals, numbers, special characters, and for these reasons will be difficult to crack.
How often do I have to invent a new convoluted password?
Ah, yes, the “every 90 days” rule. Did you ever stop to wonder why you have to change a password every 90 days, specifically? Because it was estimated, way back in the beginning of the information age, that a satisfactorily powerful computer would take three months to crack a password of a certain complexity. That day has come, gone, and that advice is no longer applicable anymore.
Rather, the new advice is this: longer is better, and change every 180 days, or not at all. In fact, some places are moving beyond pass words and adopting pass phrases, which can be entire sentences that only one person knows. (Obviously, using a common phrase like “I love my children” is inadvisable; however, using “I love Jonny and Jane and Fido”, however, is better, because it possesses a degree of length and specificity unlikely to be compromised in a short amount of time.)
Don’t Include This Information in Passwords
There’s a scene in the movie Spaceballs, and it goes like this: “So the combination is 12345… that’s the stupidest combination I ever heard in my life! That’s the kind of thing an idiot would have on his luggage.”
In a perfect world, nobody would ever use such a laughably poor password. Unfortunately, we’re on Earth. Everyone has done this at some point or known someone who has done this. In fact, 12345 and other passwords like it are some of the most common passwords.
Here are tips for password don’ts:
- Don’t use sequential numbers
- Don’t include any aspect of your birthdate (year, month, or day) in your password (that goes for the birthdate of family members, too)
- Don’t use your name, the name of a family member, and your pet’s name in your password
- Don’t use any part of your home address (home number, city/town, etc.)
- Don’t include words related to your hobby, job, or interests
- Don’t reuse passwords
Here are a few more examples of devastatingly clever passwords practically asking to be compromised: P@ssw0rd, Openup123, Password1[2,3,4 and on and on], h3llO!, nimad (“admin” backwards)… you get the idea.
If you read any of that and thought, “Oh no”, then congratulations: the combination to your luggage is also 12345. For this reason, your password should immediately be changed.
How to Keep Your Passwords Secure and Protected – Don’t Leave Your Keys on the Dash!
A password that’s strong is useless if it’s written down. Let me repeat it, because some people might need to really absorb it: a strong password is weak if it’s written down, anywhere.
Think about your dream car. Imagine what it might look like, what it might be. For some, that’s a Maserati. For others, it could be the humble Camry. (Nobody ever said you had to dream big!) Now imagine that you get it, it’s paid for, you owe nothing, and there’s plenty of mileage left between your vehicle and the next scheduled maintenance. The gas tank is full. It’s a beauty, and it’s yours.
Now, leave the keys on the dashboard for a week, and…wait.
Now imagine the shock, tragedy, and horror you will feel when you walk outside and realize your vehicle is gone. How could this possibly have happened! …Because the keys were on the dash.
The equivalent of leaving your keys on the dashboard is writing down your passwords on paper, in plain sight, or even locked in a drawer. If your car is stolen, you know you have only yourself to blame. If your password is compromised, the same applies. So don’t, under any circumstances, ever leave the keys on the dash!
When Words Are Not Enough – Why You Need MFA
By now, you’ve learned the benefit of a good, strong password. But there is another step you can take to make sure that nobody compromises your data—that is multi-factor authentication. This means after inputting your username and your password, you must also provide a third factor to prove that you are who you claim to be. Happily, many such factors exist. It could be a timed-expiry code, hardware authentication, or a push notification sent to your phone via text, email, or an app.
It cannot be overstated how valuable multifactor authentication is. The absence of a third factor has been the source of several significant data breaches, and will likely remain so every year, because some people value convenience over safety. Don’t be one of those people. For any system you own, be sure to establish multifactor authentication as a standard.
Let us help you get a handle on a strong password policy
Some of this probably sounds simple, and some of it sounds totally unfamiliar. That’s okay. Implementing MFA and a strong password policy at your company is more than just saying, “Hey, folks, strong passwords, okay?” to your staff. It’s more complicated than that. You need disciplined, experienced technical folk to help establish—and maintain—a good security policy. That’s where we come in.
IT Acceleration has a well-established history of helping small businesses tighten up their security profile, closing gaps, patching holes, educating users, and erecting walls between your data and the thieves who want it.
Let us do the security legwork, so you can do all your work. Contact ITA to take the first step.