Best practices you should be aware of

Oh… the dreaded password. How many of us are guilty of reusing the same passwords? Often times for many months, or years ranging over multiple accounts. So what’s the big deal?

Recently, the mobile gaming giant Zynga, and the Hilton family of hotels both had a major data breach. Millions of user accounts were affected. I personally have an unused account with Zynga from the days I used to play “Draw Something”. With my information sitting out there, it wouldn’t be tough for attackers to crack the password hashes. Once my password is discovered, attackers can attempt to login various other accounts with the same password. This is why we don’t want to reuse the same passwords for multiple accounts. Companies adopt these annoying password policies to prevent these types of incidents. As password requirements are getting more complicated, it is becoming a burden for administrators to reset people’s passwords at the office. Or what about all those password resets we’ve done just to login, and move on with our day.

There is not much we can do about data breaches, but there are things in our control to help minimize impact. Being aware of these practices help make passwords easier to manage.

Password requirements—yes, we’ve heard this many times

Make passwords unique with special characters like !@#$%^&*(), numbers, and a mix of upper and lowercase characters.

Avoid doing these

Avoid using words that can identify you, such as your name, your title, someone you know, birthdays, anniversaries, or your favorite hobbies, colors, etc—you get the point. Also avoid any keywords that you maybe using from your social media profiles. Social engineering is a real thing and we’ll cover that in a future post. Avoiding dictionary words would be a good practice as well. Some of these include:

football, Superman, iloveyou, princess, 123456, password, abc123, welcome, admin

Strong password essentials

Most times you will only be required to use 6 to 9 characters, however increasing it to 10-12 will be even more difficult to crack. Mix your passwords with character substitutions. For example, you can use zero instead of 0, or ever better, use & to represent 0.

Using illogical phrases will help you remember passwords. For example, “thankyoubadminton” can be “badmintoncheesecat”. Combine that with substitutions, and you might consider using “b@dmint&nchee$eCat”.

Let’s add another layer using acronyms, we can shorten part of it as a single letter. But this will shorten the character length, so be sure to make it longer. “b@dmint&nchee$eCat” could be “Bb@dmint&nchee$eC”. I would remember this has bigbadmintoncheesecats. Substituting characters, illogical phrases, and using acronyms all help in making passwords harder to crack at the same time, keeps it simple enough we can remember them.

Use simple variations for other accounts. It might seem complicated, but with a bit of practice, you can improve your passwords.

Use password managers

LassPass auto generating a complex password

Using password managers can help provide complicated 20+ character passwords for each and every secure website. You just have to remember one password for the manager and the password manager will handle the rest. I personally use LastPass to manage all my passwords. I login on my phone, workstation and my personal laptop and I can remember all passwords for each device. Many of these are subscription based for a reasonable amount. A couple other managers include:
Zoho Vault, Dashlane, Password Boss, and Bitwarden.

Hopefully this will help in creating complex passwords that you won’t forget too easily. This practice is perfect for the office. If you work in an environment with sensitive data, its very likely you’ll see password policies like these in place. For the home use, extending these practices will help keep your personal accounts in a better posture.

In the future, we’ll cover multi-factor authentication as a tool to help ensure no one else is accessing your data.

Leave a Reply

Your email address will not be published. Required fields are marked *