Lock it down: Essential password management

Key Takeaways

This week will focus on an area that we as employees have a significant amount of responsibility and control over – our passwords! 

While we are getting closer to a passwordless society, where you can use biometrics (like our fingerprint or eye), we aren’t quite there yet in full adoption of that practice. 

Until then, your online identity needs to be protected with strong passwords. One may ask the question of why so much attention needs to be given to creating and maintaining passwords. Well, it’s no different than other areas of your life, such as keeping your house secure. There are many ways to do that including locking the doors and windows, installing a camera system, building a fence, living in a gated community, being cautious with spare keys, and locking your valuables in a secure location (i.e. home safe). Some individuals hire a security firm or guard to monitor their home. While most of you do not go that far, you do practice many of the other security measures.

Another area where you practice strong security safeguards is with your vehicle. You lock the car doors when you are out and about, you don’t leave the keys in the car, nor do you leave valuables in plain sight in the car.  You most likely park your vehicle in the home garage or in a lighted area of a parking lot. These are essentials in keeping those valuables safe and secure.

Securing those passwords can bring the same level of security to your online identity, whether at work or in your personal life. And it’s not that difficult. Creating strong and secure passwords is critical for protecting sensitive data and accounts. Here are some best practices that will help thwart efforts to invade your secure identity. 

1. Use long passwords - Aim for at least 12-16 characters. It used to be that eight characters were good enough. That is no longer the case. The longer the password, the more difficult it is to crack. Some systems allow even longer passwords, which greatly increases security.

2. Combine uppercase, lowercase, numbers and symbols - Use a mix of character types to create complexity that includes uppercase letters (A-Z), lowercase letters (a-z), numbers (0-9) as well as special characters (e.g., !, @, #, $, etc.)

3. Avoid common words or phrases - Avoid using common passwords like "password," "123456," or easily guessable words such as your name, birthday, or "admin". Also avoid predictable keyboard patterns like "qwerty" or "12345."

4. Do not reuse passwords – I know it’s tempting, but each of your accounts should have a unique password. If one account is compromised, those reused passwords allow attackers to access multiple accounts.

5. Use passphrases - Create passphrases made up of random words or a memorable phrase may be easier for you to remember.  For example: "MyfavoritecarIs2024!" is harder to guess but easy to remember.

6. Enable Multi-Factor Authentication (MFA) - Where possible, add an extra layer of security by enabling MFA, which requires a second form of authentication, such as a code sent to your phone. Remember, the hackers don’t have access to your phone so won’t be able to break into your online account without that.

7. Use a password manager - Password managers, much more common these days, generate and store complex passwords for each account, so you only need to remember one master password. And for personal use, they are generally available at no cost.

8. Avoid using personal information - Don’t use easily discoverable information such as your name, address, phone number, or family members' names or birth dates.

9. Change passwords regularly (with caution) - While regularly changing passwords is still a common recommendation, it is less critical if you’re using strong, unique passwords with MFA. However, change your password immediately if you suspect a breach.

10. Do not share passwords – And finally, never share your passwords, especially over email or messaging apps. I know it can be tempting to store that password on a sticky note on your computer screen, BUT DON’T DO IT! Anyone could walk up to your unattended device and steal that password.

Remember, for now, passwords are “keys to your online kingdom”. While you cannot eliminate all risks, by following these practices, you do significantly reduce the risk of unauthorized access to your accounts. 

For more information that can guide you on this password journey, visit the Cybersecurity and Infrastructure Security Agency’s website (CISA). They provide valuable resources on cyber security, such as Weak Passwords and Secure Our World.