If you’re ready to start improving your security (both personal and at your business), the first place to focus is passwords.
Passwords? Really? Not a fancy new firewall or the latest next-gen-AI-cyber platform? No, passwords.
Weak passwords are a huge risk
Coming up with and remembering passwords is hard for most people. When you start looking at all the rules to make good passwords and the sheer number we need, it’s not hard to understand why we suck at passwords.
We pick simple passwords. We reuse passwords. We write them down in books. We share them.
In fact, SplashData releases a list of the Top WORST passwords every year. This year’s worst includes standard favorites like 123456, password and qwerty, plus new ones like starwars and 123123. Lame.
Consider the number of account breaches we’ve seen over the past few years, like this massive 41 gigabyte, 1.4 billion account and password database that was found on the dark web. One of my favorite check-in sites, HaveIBeenPwned?, provides a search engine to see if your email address and password has been leaked. They have more than 4.8 billion accounts listed.
It’s very likely one or more of your accounts has been breached at some point, and those credentials available for sale.
Improve your security by improving your passwords
Every business should be looking for simple ways to improve security. We should be doing the same at home. Using good password rules works across the board to reduce your cyber risk.
Here are some simple rules for creating good passwords:
Think passphrase, not password
The password is dead. Long live the password. It’s hard to come up with an 8+ character word that meets all the other rules of good passwords. So switch to passphrases instead. With a phrase it’s easy to have a 12+ character “password” without straining your creative brain cells.
Punctuate … creatively
Passwords should be complex. We should include a combination of letters, upper and lower case, numbers and special characters. If you’re using a phrase, you can meet many of these requirements by simply punctuating (creatively) and replacing a common letter for a number.
For example:
Phrase: I hate passwords
Passphrase: I.Hate.Passw0rds!
(password provided for example purposes only. It’s not my gmail password. Really.)
Note: Some passwords allow spaces, others don’t. You may have to be flexible with the rules to meet the criteria for any given system.
Use a password manager
Every system should have a unique password. That way if there’s a breach it’s limited to that one system. Using slight variations (adding a 1) does not count as unique.
Unfortunately, when you get start using unique passwords you quickly realize how many passwords you need to remember. Between work and home, you could have hundreds.
Enter the password manager. A password manager is a system designed to create really good, unique passwords for each system you use. It stores them in an encrypted database and keeps them synchronized between your systems and devices.
There’s a number of great systems out there. Here’s a few comparisons of some of the top password managers:
Note: before using a password manager at work, speak to your IT department to make sure it doesn’t violate your IT security policies.
For business: next steps
The next steps for every business should include:
- Implement a good password policy
- Train staff on the importance of good passwords
Once this is in place, we strongly recommend implementing 2 factor authentication on major systems, like your email system. It’s built-in to Google Apps and Office 365, so why not take advantage? We’ll talk about that in an upcoming article.
For personal: next steps
Install a password manager and start updating your weak passwords with strong ones. It’s probably been a long time since you changed your passwords anyhow!