Want some easy ways to thwart cybercriminals? Password hygiene is essential. With all the talk about cybercrime and the headlines about ransomware, concerns for your data security and the safety of your business keep growing. Avoiding a data breach is critical to your business, so it is vital that you focus resources and time on cybersecurity. Your MSP can be your best support for handling the variety of solutions to the problem of cybercrime. However, don’t forget what you can do on your own. Amidst all the sophisticated tools to protect your data, don’t forget the role of the lowly password. Passwords are there all the time, so we tend to take them for granted.
Here are four easy best practices for good password hygiene
Strong Passwords
Many advisors suggest that a strong password includes letters, numbers and symbols. Basic vocabulary words, from any language, can often be hacked through brute force–just bombarding with a stream of words until you hit the correct one. Numbers and symbols can make that less successful. But…don’t just tack numbers and symbols at the end. Make them at least sixteen characters long by starting with short random words or a short phrase. Then swap out letters with caps, numbers and symbols. The longer and more complex your password, the longer it takes to crack: the typical 6-8 character password takes from one second to three minutes and is cheap to do for hackers. A 12-character complex password will take 27 years. Check your password here.
Update Passwords
The longer a password is hanging around, the more likely it may be compromised. Frequently changing passwords, just like changing the batteries in your smoke detector, should be done on a regular basis. Try the first day of every third month, season changes, or whatever sticks with you.
Cancel Accounts when Access is no Longer Needed
In a workplace setting, access should be eliminated immediately upon the termination or transfer of an employee, or when they no longer need access to particular resources for their job function. Not tomorrow, not later today–immediately. This is particularly true in the case of an involuntary termination, when a now former employee may have a motivation to act nefariously. Also, when an employee’s job duties change, some access from their previous position may not be relevant with their new role.
Multi-factor Authentication
Multi-factor authentication (MFA) is the access process that requires a second step to access data. You probably come across it frequently. Many banking sites now use MFA for returning customers who want access to their account. MFA asks for your password and then authenticates by input a one-time code from another platform. Most frequently, this means sending you a text or calling you. The intent is to diminish the possibility that the password is being used by someone not authorized to have it. While text and phone calls are better than no MFA, it’s not the most secure method. Instead, use a trusted app such as Microsoft Authenticator or Google Authenticator. Both are free and available in the stores for Android and iOS. These apps are tied to your phone, but a SIM compromise does not easily impact them, because they require you to login to them with private credentials during setup. (So, keep the account you use for the apps secure!) Then when you add various accounts to apps, they generate one-time passcodes—every minute. So, you can’t take a code and walk away with it so to speak, because it will be retired and replaced in 60 seconds. Both apps now allow backup to the account they are installed with, so when you change phones, you can transfer accounts. This is very important, otherwise you’re left contacting vendors to get you back into accounts when you lose your phone. Some accounts offer backup codes that can be used in such a case. Whatever you use for MFA and account recovery, keep it secure! If you think this seems like a lot of fuss, ask someone who’s had their accounts compromised how much fuss that is! One final note: keep your phone locked with a password or biometrics so only you can get your passcodes. Now you’re on the road to better password hygiene.
If you have questions, contact us. We love helping you get more secure.
