Security Awareness Training – Passwords
Think about your home security and how you lock your house at night. Many homeowners use three layers of security including a standard lock plus a deadbolt and alarm system to feel safe at night.
What about securing your online accounts and password security? Do you have strong security or are you leaving the doors wide open with weak passwords and security settings? Are you using two-factor authentication whenever possible? Are your “cyber doors” locked or wide open?
NIST Recommendations and ways to lock your “cyber doors”
There has been quite a bit of recent information on password policies and the NIST Special Publication 800-63B.1. Based on this document, I think it is safe to say that many organizations are looking to revise their password security policies.
The NIST recommendations highlight the importance of strong passwords with some changes. Your passwords are still like the locks on your home and without strong passwords you unintentionally leave your data and financial accounts wide open for any hacker. Passwords are the most valuable prizes to any hacker because it gives them opportunity to enter your accounts and spend as much time as needed to steal your data.
We are still reminded daily in the news that cybercrime is on the rise. The recent global ransomware and phishing attacks are an excellent reminder of why security awareness training is now required for everyone.
That’s why it’s vitally important to develop strong password practices and to protect your password at all times. When you create, and use simple and predictable passwords you are basically leaving your account doors wide open to be compromised.
User Mistakes
How long do you think it will take before they find your weak passwords? Are you sure an intruder hasn’t already found them? Not only do intruders exploit easy-to-guess passwords, they also try to take advantage of the way many users fail to protect their passwords, such as:
- Not changing your password after you are notified that a site was hacked
- Using one password for everything
- Using home and personal passwords at work
- Sharing passwords with others
- Sending passwords by email without encryption
- Writing down your password on a Post-It note and keeping it near your computer
Many businesses and websites enforce password requirements and best practices
This is what we routinely see as business and website password security requirements at a minimum:
-
- Passwords should be at least eight or more characters in length and include upper and lower-case letters
- They should include a number
- They should ideally include special characters or symbols like the dollar sign, percentage symbol or other character.
Every additional character you add to a password makes it more difficult for a hacker to guess or break your password. By using a mixture of letters, numbers, and symbols you also make password discovery, whether by guessing, or using easily available password cracking tools, more difficult.
Use a passphrase that is memorable
In most cases, you should implement a pass phrase to lock your “cyber doors”. A pass phrase is a short phrase that you will find easy to remember but would be almost impossible for an intruder to predict. Once you have such a phrase, you can then easily create a complex but memorable password simply by using the first character or letter in each word of the phrase.
There are different ways to develop a passphrase. For example, the sentence “I wish my sister Jodi was here 2!” Could create a nine-character password, IwmsJwh2! that contains uppercase letters, lowercase letters, numbers and symbols. Just select the first letter or number in each word, and include a couple of uppercase letters. Get creative with passphrases that are easy to remember but hard for a hacker to predict.
Another example of a passphrase would be something like: ILuvW0rking@myC0mpany2 The longer the passphrase the more difficult to hack.
Avoid using dictionary words
There are various recommendations regarding password security that you should consider. Many security experts recommend avoiding the use of words that are found in a dictionary by simply putting a number or character in the middle of the word.
One example of this, would be to pick some letters in the word and replace one or more letters in the word with a number and add some special characters. You just need to get creative and pick changes that you can remember and are memorable to you.
Two Factor Authentication a Must for all Financial Accounts!
Many organizations and websites including financial institutions and banks are now offering the use of “two factor” authentication also known as 2FA and “multi-factor” authentication.
Even Social Media and email accounts such as Facebook and Google are offering this type of increased password security technology. This is one of the best things you can do to help protect your account security.
Two-factor authentication involves logging into your account with two or more pieces of information. This would include “something you have” like a PIN number that is sent to your phone and with “something you know” like your password.
To log into an account with two-factor authentication you must provide both the changing PIN number sent as a text message to your phone and your password.
Multi-factor authentication may include verifying the approved browser you are using or providing a challenge question that only you would know. This provides an extra layer of security that is much more difficult to compromise. You should always utilize this technology whenever it is provided and not disable or shortcut the process.
Final Thoughts
Because of the importance of safe password practices when accessing the Internet, you should also avoid the temptation to save login data and passwords on web sites you use routinely.
Passwords are like the keys to your home, and play a very important role in helping ensure that your accounts are protected. But in the wrong hands a valid password could give an unauthorized intruder unchallenged access to your most sensitive information. That’s why you should never underestimate the power of a strong password, or the dangers of a weak one. Lock your “cyber doors” every day!
The Center for Information Security Awareness (CFISA) and InfragardAwareness, www.CFISA.org has been providing online and in-person security awareness training since 2007. The CFISA security awareness training stresses the importance of educating employees to help reduce company risk.
Do you need help with security awareness training for your employees? Contact CFISA and we will help you with a training option to fit your budget!
1 https://pages.nist.gov/800-63-3/sp800-63b.html