The Problem with Passwords
Love ’em or hate ’em, our digital world is full of passwords. While this feels like a plague unique to the modern digital era, if you think back you’ll realize that they’ve always been there. We used to have ATM PINs, locker combinations, and even secret whisperings to get our hooch in the local speakeasy. And in that time, they haven’t changed that much! They’re still strings of characters, words, numbers, and hieroglyphs that get you past a security checkpoint of some kind.
The major difference is that now, with brute force password guessing programs and hackers stealing our information hand over fist, the humble password just can’t keep up anymore. So what’s a user to do?
Some security professionals foresee a future where the password goes the way of the dodo, and everything is secured with biometrics and certificates. Some regulatory bodies are even going as far to challenge some of the long-held conceptions about password changing. Until those changes become more mainstream, we’re stuck making the best of an admittedly bad situation.
Follow these tried-and-true simple rules, and you’ll reduce your chance of compromise.
How You Can Improve Password Security
Don’t Use a Password
The purpose of a password is to be complex enough and long enough that it can’t feasibly be cracked before you change it again. So the longer and more complex your password is, the better it is. Since most of us aren’t ready to go to 128-character monstrosities for our passwords, try this simple tip: trade in your password for a passphrase instead.
Many systems today allow you to use characters you may not have thought of — like spaces and punctuation. DO IT! Make your password an entire sentence so it’s still easy for you to remember, but long and complex enough that the bad guys won’t have time to crack it.
Pro tip: I like book titles as passwords. “50 Shades of Grey” meets the complexity requirements of most systems, and it’s easy to remember.
Limit Your Blast Radius
Imagine this situation: you use the same passwords for Facebook, LinkedIn, your Discover Card, and your e-mail. Then LinkedIn has another data breach and passwords are lost to the Dark Web. Now anyone with one of your leaked passwords can get into all of your other systems. Make them all substantively different, and your blast radius is limited.
Keep it Fresh
This is so important it should go without saying, but passwords should be changed on a regular basis. Enterprises are good at making you change your passwords. Public-facing systems…not so much. Change your passwords every 6 months or so on all of the systems you access. It’s somewhat painful, but can really bear fruit as mentioned in the anecdote above.
Note: Some avant garde security folks will tell you that the National Institute of Standards and Technology (NIST) no longer recommends habitual password changes. They suggest that you only have to change your password if there is a known data breach in the app/environment where the account lives. But I am not a believer. I don’t believe that our current systems for breach detection are good enough to let us know quickly enough that there has been an attack worth changing our passwords for. So I still say, change them regularly!
Turn on Multi-Factor Authentication (MFA)
What if your password changed every few seconds? That’s the power that multi-factor authentication brings. It’s the process of augmenting something you know (a traditional password) by adding something you have (a rotating PIN number from your phone or another physical device). The chance of someone compromising your password, along with the constantly changing code is infinitesimal.
MFA is also becoming more popular in the enterprise given new regulatory mandates. If your account or website supports it then switch it on for another layer of protection. FYI – Twitter, Facebook, LinkedIn, and many other popular systems on the Internet support a form of MFA. Turn it on NOW!
Automate the Password Process
If the bad guys use tools to help them do bad things, why shouldn’t you use tools to fight them? A password manager allows you to automatically make different passwords for every site, change them on a regular basis, and keep your sanity.
Whatever it takes, PLEASE stop using spreadsheets and sticky notes. They may be convenient, but they’re destroying the security value of setting a password in the first place.
As for password managers, I’ve used Dashlane and LastPass. They aren’t the only ones out there — find one you like. Look for one that provides you not just password management, but also:
- Generate long, random passwords automatically
- Auto-fill passwords in forms on the web for you
- Automatically change your passwords on popular systems
- Auto-fill credit card information onto web sites
So what are you waiting for?
Until all systems authorize us with a glance, a drop of saliva, or some other unique identifying factor, we’ll be using passwords. Use these tips to make strong password security easier and to breathe a bit easier. A moment of planning can prevent a painful year of cleaning up an identity theft.
Be sure to follow Alpine Cyber on LinkedIn, Twitter, and Facebook.
Photo by Philipp Katzenberger