Back to Basics – Password Management
Passwords are a necessary evil of modern life. Today on Back-to-Basics we will cover some best practices of password selection and management. Quanexus recommends a 25 character password that does not contain words found in dictionaries. We also don’t use names, birthdays, or anniversary dates, because these can be easily found on social media. On top of these parameters, passwords should not be used for more than one service.
We understand this is cumbersome, and studies have shown that extreme password policies reduce productivity in business. So where is the middle ground between an absolutely uncrackable password for each individual login, and reality?
-
Password Mangers:
There are tools on the market that create long and complex passwords for each individual login, and then manage these passwords for you. LastPass, and 1Password are two trusted services, and both provide browser and mobile services. The issue with these, of course, is if the hacker social engineers, or guesses your password to get into the password manager, then they have access to all of your passwords. However, with a strong password to log into the service, this is a very secure option.
-
Password Reuse:
At the very least a user should not use the same passwords for personal logins that they do for business logins. Of course, the business has no way of checking this, but it should be outlined strongly in the orientation material, as well as the annual security awareness training. As we always say, your users can be your biggest asset or your biggest liability. Password reuse is a point that needs continual emphasis.
-
Stolen Passwords:
The dark web knows what your MySpace password was at this point. Find out what passwords you use have been compromised and stop using them. Google Password Checkup is a trusted resource. Financial companies are starting to send users known compromised passwords as well. We know many people are not going to come up with a stelar 25 character password for that jogging site they’re checking out, but be aware of what passwords are compromised, and don’t use them at work.
-
Multi-Factor Authentication:
Many more critical services like financial or system logins now offer Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA). We did a whole blog post on this topic you can read Here, but the long and the short of it is, if the service is available, use it. SMS authentication is not without flaws, but it’s still better than a simple password. Services like Google Authenticator are better but have not been incorporated into all businesses yet.
Passwords are not perfect, but they are also not going away. Password security involves making users aware of the risks that are out there and continuing to stress best practices. Continued education, and annual security awareness training is the best defense against password compromise.
Quanexus IT Support Services for Dayton and Cincinnati
Request your free network assessment today. There is no hassle, or obligation.
If you would like more information, contact us here or call 937.885.7272.
Follow us on Facebook, Twitter and LinkedIn and stay up to date on by subscribing to our email list.