#BeCyberSmart – Change Your Passwords!
Week two of National Cybersecurity Awareness Month is underway and if there is one thing we have learned it is how important it is to change your passwords! Today, 75% of people don’t know how to create secure passwords. This is especially concerning as data this year has shown that 81% of the total number of breaches leveraged stolen or weak passwords. Now, more than ever, to #BeCyberSmart strong passwords and a password manager are a must.
Best Practices for Strong Passwords
NIST Special Publication 800-63B – Digital Identity Guidelines – is a great resource for educating users on creating a secure password. As an individual user, it is important to understand that password length is more important than complexity. Enforcing complexity, such as including a lower-case letter, upper-case letter, number, and special character, is great in theory but this often results in simple passwords such as “Password123!” being created. Rather, users creating a long password, such as a passphrase that will be easy to remember as the account owner, will prove just as strong.
As an organization, there is a lot to learn from NIST’s special publication. First of all, it is encouraged that all new passwords are screened against a list of commonly used and compromised passwords. This way, you ensure common, easily guessable passwords are avoided. Secondly, NIST suggests that organizations do NOT enforce regular password resets. While controversial, their stance is that forcing employees to change their passwords regularly results in the creation of new passwords that are virtually the same as the old one just with a minor change. And to make matters worse, these changes are typically predictable patterns. NIST additionally suggests a limit to the number of failed password attempts before account lockout. This protocol will minimize a threat actor’s ability to brute force their way in as a user, minimizing account compromise. And lastly, in line with the theme from last week, it is recommended to implement MFA on all eligible accounts. This way, users must authenticate into their account with an additional means beyond the typical username and password.
Password Manager
In the words of the National Cybersecurity Alliance, don’t take a pass on a password manager. In this day and age, it is genuinely impossible to remember all the passwords to your online accounts, especially if you are abiding by all the best practices we mentioned above. Some may think the simple solution is to just use the same password for most, if not all, of your accounts, but the reality is, that’s not safe. While this may sound great in theory, using the same password for multiple accounts exponentially increases the likelihood of multiple breached accounts. In a breach, if a bad actor can exfiltrate your credentials, and the credentials are the same you use for all your accounts, the threat actor just hit the jackpot and can now gain access to all of your accounts and sensitive information.
Luckily, a simple solution exists. Through the investment of a password manager, you don’t have to risk using the same login credentials for all of your accounts. When you invest in a password manager, you will end up saving time in the long run, not having to guess and check until you remember the right password. Typically, managers work across all your devices and operating systems, making it easy to share between computers, phones, and other compatible endpoints. Additionally, password managers help protect your identity. Make sure to check out last week’s article on the importance of identity management here.
Conceal Supports Password Managers
Here at Conceal, we understand the importance of a password manager. Conceal’s suite of solutions support password managers so that even in an isolated environment you can access your stored strong password habits with ease. It is also worth noting that we practice what we preach. All employees at Conceal are proud users of a password manager, an aspect of our online presence that we are not shy to share. Oftentimes during demos, you will see our engineers and VPs access their manager to login to different accounts to show you our platform functionality. Strong unique passwords are a must in 2022 and a safe, encrypted database to house them allows your memory to focus on other things!