Top 3 Password Recommendations

It seems like I am creating a new account almost every day for websites, remote applications, programs, or services.  And I am not sure about you, but I already have way too many passwords to keep track of.  This problem leads to the largest risks people and organizations face with passwords, their selection, and storage.

What can you do about it?  I have 3 general recommendations, first anywhere you can enable Multi-Factor Authentication (MFA), create long complex passwords that are unique to each application, and store them in a password manager.

Are you in the Green?

Does this sound familiar?  You go to log onto your favorite website, type in your username, and then your password.  Up pops an error message – “Please reset your password.” Great… you go through the reset process and add a 1 to the end of it? Or was it a 2? Or an exclamation point? This is the worst.

There is no question within the world of IT that the password system is broken.  There are too many sites, too many variations of “password requirements,” forced password resets, and no way to stay on top of them all.  The truth is that most people use weak passwords and then reuse them on different websites.  Here’s the problem – any time we choose our own passwords, we are always going to try to dumb it down to make it easier to remember, and no matter what the protocol is, you’re going to end up with relatively weak passwords. Here’s 2022’s worst passwords — don’t use any of these.

Hivesystems created a great infographic (Below) to explain how long it would take a hacker to guess a password.  The question is your password in the Green?


 Don’t Reuse Passwords!

Password reuse is a serious problem because of the many password leaks that occur each year, even on large websites. When your password leaks, malicious individuals have an email address, username, and password combination they can try on other websites. If you use the same login information everywhere, a leak at one website could give people access to all your accounts. Also note that similar passwords or not much better than reused passwords, for example, if your Facebook password is P@55w0rdFB and eBay password is P@55w0rdEB…

And the worst case is someone gaining access to your email account in this way, they could use password-reset links to access other websites, like your online banking or PayPal account.

 Why not save passwords in the Browser

Saving passwords in your browser is an easy mistake to make and you likely use it each day.  While it may be tempting to click “Remember Password” when your web browser prompts you, doing so puts your security at RISK.

As you browse the web and create new accounts, your web browser stores a database of logins. Next time you visit a website, your browser scans your previous logins and if it finds a match, grabs the appropriate login info as needed.  To login, all you need to do is hit the submit button – no pesky login info to remember.   But here’s the dark side. (This is where the security risk comes in.)  This database of passwords stored in your browser is not as secure as you might think.

Gaining access to one of your company computers is as simple as having someone open a malicious link.  From there they extract the contents of the database (gaining access to ALL your private logins) and upload them to a remote server. 

What’s a password manager?

A password manager is simply a secure central place to store all your passwords securely, often with the ability to synchronize with multiple browsers, computers, or even your mobile device.  It also helps you generate unique, complex passwords for every site, making it easier to stay clear of the danger of password reuse.   Password managers also help guard against phishing attacks that direct you to fraudulent websites and try to trick you into entering your password.  Password managers offer your login credentials only when you’re at the correct website.

Additionally, many password managers have features that can help you find weak or reused passwords, tell you when a site has experienced a data breach, or if the password you’re using has been found in a stockpile of stolen user data (encouraging you to change your password immediately).

Here are the top 4 reasons you should use a password manager.

  1. It is much more secure than the browser password manager
  2. It will encourage more secure passwords (that you don’t have to remember)
  3. It makes sharing data with family and friends much safer, compared to sending your login details in an email or some unencrypted messenger.
  4. It will allow you to keep track of your passwords without having to memorize them.

 Are there risks to using a password manager?

Are there risks… Yes, while there is no way to stay 100% safe online, even if you use a reliable password manager, there are certain risks that you should know about:

  1. All sensitive data in one place. You’ve probably heard about keeping your eggs in one basket. That basket could also include credit card details and secure notes.
  2. Backup is not always possible. If the server breaks down, your only hope is that your provider has made a backup copy. Counter to this, keeping your backup on an unprotected disk drive or poorly protected cloud service won’t help either.
  3. Not using biometric authentication. Biometric authentication is a great way to add another level of security. It’s also much easier for you to touch the fingerprint scanner than to enter a master password.
  4. Bad password manager. If it has weaker encryption, offers few features, and has poor reviews, you shouldn’t use it. When it comes to securing your vault, price shouldn’t be your first priority.
  5. Forgetting your master password. Are you the only person who knew it, and your password manager doesn’t have a reset feature? In this case, you may already start recovering each login one by one. Alternatively, you may want to store your master password in a physically secure place, such as a safe.

Final words

You can mitigate the majority of your risks with these 3 general recommendations,

  1. Enable Multi-Factor Authentication (MFA) anywhere possible
  2. Ensure your passwords are strong and unique
  3. Store your passwords in a password manager.

If you or your organization are struggling to figure out how to keep all of your passwords straight, contact us to start a conversation about Cybersecurity Policy & Controls.