In today’s world, virtually everything we interact with requires a password. Since passwords are the gateway to accessing not only your personal accounts but also the data that your entity maintains, every bad actor wants it.
Here are some steps to share with employees to keep their passwords – and your entity – safe.
1. Create a strong password
Ensure your password does not contain common words or patterns. For example, “Spring2024!” seems like a great password. After all, it has a mix of upper and lower-case letters, numbers, and a special character. Unfortunately, while it meets those length/complexity requirements, it is a commonly used password and very easy to guess.
A stronger password involves using two unrelated words to create the new password. An example could be “PickleGuitar55$.”
2. Use a passphrase
Even better than using a strong password is the use of a passphrase. Choose one that is meaningful to you, but not likely to be guessed or cracked. A passphrase such as “greenpillowsarefluffy” is much more secure, even though it doesn’t include mixed cases, numbers, or special characters.
Adding in those other variables to make that password something like “GreenPill0wsAreFluffy55*” makes it even stronger, and unlikely to be hacked.
3. Update passwords regularly
Changing your passwords regularly is critical. While it would be easier not to create new passwords often, bad actors continue to find new techniques to access your account making it essential to make sure they don’t gain and maintain access.
One of the newest threats allows them to steal your MFA token and access your account. These so-called “Man in the Middle” attacks allow the bad actor to log in as you while tricking the system into thinking it is you because they have a valid token.
Changing your password on a monthly (or even more frequent) basis will invalidate the token they have and force them out of your account.
This becomes more important as bad actors will often gain access to your account and take the time to learn about you before taking action so that their attack is more informed; they’ve now learned who you communicate with, what types of communications you send, etc.
4. Never share passwords
To protect your systems and provide the ability to audit who did what in those systems, everyone should have a unique username and password. Develop policies to ensure users are not sharing passwords or account credentials.
5. Consider a password management vault
The best passwords are random strings of letters, numbers, and characters but who can remember that? And, if you follow the best practice of having a separate password for every account and changing the passwords frequently, how could you possibly remember all those unique, random passwords?
That is where a password management vault is helpful. A password management vault can securely store all your passwords, integrate with your browser to enter the information when you go to the site where the credentials are needed, and only requires you to know one master password.
6. Protect privileged accounts
As the name implies, privileged accounts have elevated permissions in your systems and are highly desired targets for bad actors. As such, extra precautions should be taken with these accounts.
These accounts should have the most complex passwords which are frequently changed and protected by MFA. Also, your entity may consider a separate password vault for privileged access. Access to the credentials in the vault should be restricted only to those users whose job requires them to log in with that level of access for administrative reasons.
As always, cybersecurity training for end users is one of the best ways to protect not only yourself but your entity’s data and systems. Be sure to check out the free, unlimited training courses available to members at VRSA’s Online University.
As methods evolve to cause disruption or exploit victims, entities should remain vigilant to adapt controls, defenses, and password policies. We recommend subscribing to updates from the Cybersecurity & Infrastructure Security Agency here.