Passwords... my, how we have grown into a love hate relationship with them.
At one end they are the first step and could also be argued the most important step for protecting our sensitive information. At the other end they are these things we constantly struggle to remember, feels as if we are always being asked to change them and well, to be honest, they are kind of a pain in our necks.
Why can't we just easily login to the website we want, get the information we need and carry on with our day? Hackers, that's why. Now before I go further, I want to explain that not all hackers are bad. After all, I am one. There are many of us whose job revolves around trying to catch them and to catch one, you have to become one. For all my fellow nerds out there, I will say that there is a light side and a dark side.
So how do we prevent ourselves from being a victim of these so called hackers you ask? Well, this is a loaded question. While no one currently has a foolproof, 100% way of protecting us, we do have many security best practices that we can follow.
First on the list and in my opinion, the most important is passwords. I like to compare passwords to keys. We all use keys every day to protect our most valuable items like our homes, our cars, our mailboxes, etc. Passwords work in a similar fashion in which they lock and unlock our online information. This is why it is important for us to follow some of the brief guidelines in order to better protect ourselves. I also encourage everyone to research the below topics further as there is just too much information out there to share in one blog post.
Strong Passwords - When you hear someone talk about having a strong password, what they mean is having a password that it is not easily guessed or cracked. In today's age, we have programmed computers to be very good at guessing (cracking) passwords.
Below are some tips on how to protect yourself better.
- NEVER SHARE YOUR PASSWORD! The only person who should ever know your password is YOU. Never give your password out to anyone or any company. We will never ask you for your password and if you do get asked for your password, it most certainly is a scam.
- Make them long - 15 characters minimum whenever possible. The length of your password is the most important step of having a strong password.
- Add complexity - Make sure to add at least one uppercase letter, a number, and a special character. Here are some examples of special characters (!@#$%^&*).
- Use spaces when allowed, for example, the password "I really Love Running al0t!" is much stronger then "Th8#4jPz". This is because mathematically it would take a significant time longer to crack a 27 character password then an 8 character password. If you only counted 23 characters in my above password it is because we see spaces as blank or empty but to a computer a space is actually a character! So the spaces actually make our password 27 characters long but also much easier to remember.
- Do not use single dictionary words, people's names, birthdays, keyboard patterns (qwerty), common phrases, and especially never use the word password or any variation.
- Examples of bad passwords - ryan25!@, Ryan1234, 123456, bmwDr1ver!, P@55w0rd2016, password, LivingOnaPrayer, mypassword1, password1973 etc. You can also do a quick google search on the most common used passwords and make sure your password isn't on that list.
Do not reuse the same password for multiple sites - This is very important, VERY important. Hackers are hoping that you use the same password for everything. That way, when a website gets breached and the usernames and passwords get released they can use that same password to gain access to other websites. One way people can fight this is to use what is called a password manager. This is a program that allows you to better keep track of all those passwords. A popular one you can look into is called LastPass. Or you can be extra cautious like me and write them all down on a piece of paper and store them in a fire proof safe.
Change your passwords frequently - Passwords at a minimum should be changed at least annually but I recommend 90 days for websites that store sensitive information like financial account information, tax information, credit card information and especially your email accounts. If someone malicious gains access to your email account they will use that access to reset other website passwords. If you find out a website you use gets breached, for example, LinkedIn or Yahoo, you should change your password immediately on every website where you used that password to protect yourself from a possible compromise.
There are certainly many more things we can do to better protect ourselves online and I again encourage you to research best practices or other approaches to keeping your information safe. In the second part of the series, I will talk more about Phishing scams and how we can better protect ourselves.
Shawn Jones, OSCP, CISA
Cyber Security Specialist
Collins Community Credit Union