Password Management Tips

Written by:

Joel Caskey
Cybersecurity Manager & Partner
NET Xperts LLC

Greetings, Cybersecurity Super Heroes in Training! 

As I mentioned at the start of the month, I’ll be covering some topics to help you check off some of the positive boxes in the Cybersecurity Awareness game. The first topic that I want to go through in a little more detail is “Password Management.” 

Let’s get down to the nitty-gritty here – passwords are like locks on a door. They protect the critical information stored behind those passwords.  You don’t want a lock that can be easily picked with a paperclip (weak passwords). You also don’t want a lock where anyone can walk into a hardware store and purchase a key for it (commonly used passwords). It’s also a good idea to change your locks when a significant life event occurs (AKA someone leaving that might know your password or administrative passwords). It’s also a good idea to change your locks regularly (with passwords, this can depend on some other security factors, which I’ll go into in just a moment). 

Some good password guidelines to follow: 

• Passwords should be complex. This protects against “dictionary attacks” where people can just start throwing words at a password prompt to gain access.
  • Complexity standards are constantly changing, but a good guideline is to have them be at least 12 characters long, contain multiple types of characters (Capital, lowercase, numbers, and symbols), and should not contain your first or last name.
  • To take this a step further, I would advise getting used to a “Passphrase” instead of a “Password.” A passphrase can contain multiple words (it can even be a short sentence) and will satisfy these requirements without making it difficult for you to remember.
• Don’t use the same password for everything. Yes, I know, “How am I supposed to remember all of these passwords?!?!”. I get it. A good practice is to use a password management platform to manage your passwords. This keeps everything secure while allowing you to use randomized passwords for things. Remember, if a password gets out on the dark web and you’re using it for EVERYTHING, it now means that a bad actor has access to EVERYTHING as well.
• Change your passwords regularly. This is especially important for critical systems like banking, healthcare, and E-mail (yes, E-mail – I’ll discuss this more in the next blog). Passwords regularly get leaked onto the Dark Web. If you continue to use passwords for a long time, they’ll eventually end up there. That means anyone could go on the Dark Web and get your password and gain access to your confidential or protected information.
• Know what’s on the Dark Web.  I know what you’re saying… “The Dark Web?  What the heck is that?!” – Well, the Dark Web is a place that you can’t get to through a normal web browser. There’s a whole different level of information sharing that happens out there on the Internet and the average person wouldn’t typically see it. There are sources on the Dark Web that share information such as passwords, social security numbers, credit card numbers, driver’s license information, etc. This is all untraceable due to how it’s stored and shared, but trust me – it exists, and it’s a little scary. There are services (such as our NET X Dark Web Monitoring service) that will traverse the Dark Web for you to find information that may be out there that you’re not even aware of. If you catch it before anything happens, it makes it a lot easier to prevent a breach. 
• Don’t use a Commonly Used Password. Did you know that a list gets generated every year to show the most commonly-used password from that year? You would be surprised at some of the passwords that are considered common these days. Many people think alike. They use the same process to develop password schemes. I’ve seen and experienced this first-hand (I deal with a lot of passwords) between users at different customer sites. It’s a good thing to know that this list exists and to keep it in mind when creating a password.
• Sharing passwords is a no-no. If everyone is using the same account to log in to a specific system, that’s not a good thing. If someone leaves the company, they still have access to those credentials. This also eliminates the ability to audit who made a change and when because everything is being done under the same user ID. How do I know if it was Sally or Jeff that made a change to a file? Generic/shared accounts are more likely to end up getting compromised, and may be a licensing issue, which could come with financial penalties. Long story short – everyone should always have their own set of unique credentials to log in.
• Do not keep your passwords in an Excel Spreadsheet.  I know way too many people that do this.  If you’re concerned with not being able to remember your passwords, use a Password Management software.  These types of software have additional security built into them, such as encryption and Multi Factor Authentication to store your passwords in a secure manner.  Excel Spreadsheets (even ones that are password protected) can be easily compromised and stolen by ransomware.  One false click is all it takes.  Don’t put yourself in that situation.

As I mentioned, passwords are like the keys to a locked door. They are the first line of defense in keeping things behind the door secure. You wouldn’t leave your keys on a table in front of your house or publish copies of your keys for anyone to get. Let’s keep those locks secure by promoting good Password Management skills, and get yourself one step closer to being a Cybersecurity Super Hero.

Until next time, my friends… stay safe out there, and stay tuned for more!