Flossing is Hard: Passwords are the dental floss of the internet. They take precious time to use, everyone hates them, they cause mild discomfort, and the consequence of negligence could spell doom. Not immediate doom. But eventual in inevitable doom. Oh and by the way, China knows your password! Your favorite one. The really complex one you made up 6 years ago that combines your sister’s phone number, your son’s birthday, and the exclamation point at the end. They also know your other favorite one. “Sweetie”.
Password Strength: Last week I gave you a tripwire you could use to foil a ransomware attacker with a strong password. Continuing the theme, this week we discuss the importance of password hygiene. Password hygiene involves the strength, uniqueness, and practices of passwords.
The Longer the Better: Compare password hygiene to dental floss hygiene – make them long, change frequently, and don’t share. When it comes to length, longer = stronger. In fact, length is more important than complexity. So instead of using a complex array of gibberish letters, numbers and symbols, the best practice is to create a passphrase. A passphrase is a list of unrelated common words. It is easier to for you to remember and harder for a computer to crack. In this example from www.xkcd.com/936/ , the password Tr0ub4dor&3 is difficult to remember but can be cracked in 3 days. However, if we tie four common unrelated words together like “correct horse battery staple”, it would take 550 years to crack.
Don’t Re-use Your Floss: You may question, “If I create one strong passphrase, I could use it for all my accounts and I’ll be safe?” Well, not exactly. That’s where the second part of “treat-passwords-like-dental-floss” comes in. Don’t share. Today, you have so many accounts with passwords to remember. You have your email, company login, bank, investment, social media, gaming … the list goes on. Major breaches like LinkedIn and DropBox have exposed your username (typically your email address) and password. The information from these breaches eventually ends up on the Dark Web available for any cyber-criminal to peruse. To see if your email address is on the Dark Web, you can check it at www.haveibeenpwned.com. A trusted advisor can offer Dark Web checks for your business domains.
Try It Everywhere: When the hacker acquires your credentials, they will test them against popular websites hoping you reused the password. Maybe you have a Wells Fargo, or Merrill Lynch account with the same username and password. If they succeed, the consequences could be disastrous.
Password Managers: You may want to reconsider letting your browser manage your passwords. The saved password feature of browsers is great for ease of use for you – and a cyber-criminal. These passwords are stored in clear text in the browser can easily be stolen.
Consider the Consequences: Since there are so many long passwords to remember, using a Password Manager can ease your password woes. A Password Manager can create, encrypt, store, and autofill your passwords for multiple accounts and make it harder for hackers to get them. Password managers can also protect you from Some recommend free managers are: Apple Key Chain, Bitwarden and KeePass. You may hate to floss. You may hate password hygiene. But until there is something better, consider the consequences.