Password advice

   read


Don't Reuse Passwords - Even if your organization has not been breached, password reuse puts it at risk.  The cyber criminals know that if a password was ever used before, it’s likely to be found again.  With a solid cracking dictionary, the cyber criminal never needs to resort to brute force guessing, and hashed passwords become only an inconvenience.  Cracking dictionaries and rainbow tables are commonly shared among cyber criminals.

Don't use commonly used passwords - Require every new password to be checked against a “blacklist” that can include repetitive or sequential strings, variations on the site name and the passwords hackers are most likely to guess.

Don't use compromised passwords - Make sure that your online accounts checks your user account against compromised credentials to ensure that you are not using or creating a password that is already known by cyber criminals.  Screening passwords against lists of commonly used or compromised passwords is of the best ways to ratchet up the strength of your passwords.  No site should be allowing the use of known, compromised credentials.
  1. It closes a glaring gap which otherwise leaves your password layer completely open to credentials exposed in third-party breaches.
  2. It ensures that your passwords are unique enough to not be reversible using cyber criminal cracking dictionaries.
Increase password length & simplicity - Keep passwords simple, long and memorable since longer passwords that are harder for hackers to break.  We are really bad at random passwords, so the longer the better. Length matters a lot more, which is why new guidelines call for a strict 8-character minimum and even suggested moving character maximums to at least 64. 
  • Phrases, lowercase letters and typical English words work well. Experts no longer suggest special characters and a mix of lower and uppercase letters. If you can picture it in your head, and no one else could, that's a good password.
  • Longer passwords that are harder for hackers to break. 
TFA - Two-Factor Authentication - Two-factor authentication adds a second level of authentication to an account log-in. When you have to enter only your username and one password, that's considered a single-factor authentication. 2FA requires the user to have two out of three types of credentials before being able to access an account. 

MFA - Multi-factor Authentication - For some accounts, passwords are not enough. To make sure you are properly protected, multi-factor authentication is the way to go.  A verification that requires you to demonstrate at least two of “something you know” (like a password), “something you have” (like a phone), and “something you are” (like a fingerprint) drastically decreases the probability of a successful hack.

More Tips for Making Your Password Safer:

  • Use different passwords for every account that you have. Don't use the same password or user name again.  Many online stores and even some information based web sites require that you register to use their service, and that requires having a user name and password. No matter how easy it seems to have one user name and password for all your Internet accounts, don't do it. If you desire convenience, create one password and user name combination that you use for all your non-bank accounts. If an online store, or any web site, sends you an email confirmation that contains a new password, login again and change your password immediately.  
  • Create a different password for your financial institution. Remember, many web sites don't have the security your online financial institution does. Don't allow your password to inadvertently be revealed or misused.
  • Log off each time if using a public device or if people are around who can see your password.
  • Make sure that no one is watching you enter a password.
  • Try not to enter passwords into public computers, such as at the library. These often have malware on them that steal passwords.
  • Use security software and update it regularly.
  • Do not give your password to anyone. Though you might trust them now, there is no guarantee that they will always have your best interest in mind.
  • Avoid entering any password into a device when connected to an unsecured Wi-Fi connection, such as at a coffee shop or airport.
  • Use a minimum of eight characters and mix up numbers, letters, and symbols in the password.
  • Don't save the password on your computer.  Many modern browsers allow you to save passwords on the computer's hard drive and have them come up as you type in your username. It may be convenient, but you allow anyone with access to your computer, whether for a couple of minutes or hours, the ability to access your account. It may never happen, but don't make it easy for your account to be accessed.
  • Choosing a good password is an important part of lowering the risk of becoming a victim of cybercrime. The following guidelines should help you when choosing passwords for your online accounts.

Add extra security with 2-Factor-Authentication: Two-factor authentication adds a second level of authentication to an account log-in. When you have to enter only your username and one password, that's considered a single-factor authentication. 2FA requires the user to have two out of three types of credentials before being able to access an account. Learn How

This site, HowSecureIsMyPassword.net, will tell you how strong your passwords are.

Use a Password Manager

The best way to deal with password management is to make the small investment into purchasing a password management service that will store your passwords in both the cloud and your computer.  A password manager helps you easily create, store and recall passwords which make it easier to employ strong passwords across an ever-increasing number of accounts, websites and services.  Many of them are both a website and an app, so you have access to all your passwords regardless of what device you’re on.

The best thing about these is that you will only have to remember one master password, and that will give you access to the rest of your passwords. A password generator tool that allows you to make passwords that can’t be cracked. You also won’t have to remember these passwords because they are all stored in the manager.

Using these password management tools is extremely easy, and you will never take the chance that you will forget a password every again. You can easily log into any internet site with only a single click of the mouse.  These programs automatically sync your password data, so you can access them from anywhere whenever you need them. They are also safer than not having one, and they help to protect you from online fraud, phishing scams, and malware. They are also extremely secure, and all of your data is locally encrypted on your PC, an only you have the power to unlock it.

Make sure that you are selecting a reputable product.  There are a few popular password managers to choose from — Dashlane, 1 Password, RoboForm, True Key, Keeper, Sticky Password, Last Pass and ZOHO Vault.

Because most password managers sync your information in the “cloud” (online), you’ll have access to everything, regardless of the device you’re logging in to. Therefore, if you add a new password on your smartphone, and then sit down at your desktop computer later, you'll find that everything has been synchronized.

How secure are they?

For each website or app password you keep, you can choose to require the master password only or a master password and a PIN code or fingerprint (on a mobile phone or tablet) for “two-factor authentication.”

But what if your phone, tablet or laptop is lost or stolen? Can’t someone access all your passwords if they figure out your “master password”? You need not worry about this as your device has to be unlocked first — that is, a person would first need to know your PIN or password — and then guess your master password, too, which is highly unlikely. And since you can log on to your password manager from virtually any device, you can log in from another machine and change your master password — just in case.

Not only do password managers let you keep your favorite passwords, but you can also lean on the app or site to create a tougher password, if desired. All passwords are encrypted with Secure Sockets Layer (SSL) and AES-256, the strongest grade of encryption available (banks use 128- or 256-bit encryption).

Password managers may offer these additional features:

  • Some aren’t just for filling out online passwords but can also help populate other tedious online forms, such as billing or address information.
  • Since this is a privately accessed app or website, you can often keep sensitive or important information — like notes, photos and other files — safe and easily accessible.
  • A few of these password managers can also scan the internet (including the “dark web”) for leaked or stolen personal data, and will alert you the moment your information is detected where it shouldn’t be.
  • Some password managers double as a VPN, or virtual private network, which helps you remain anonymous while browsing the internet. Using a VPN hides your online activity from your ISP, search engines, advertisers, social media platforms, the government and cyber-snooping criminals.
  • A few of these password managers can also hold a list of emergency contacts, in the event you need to provide a friend or family member access to your accounts — or if you pass away and want to leave these passwords to a trusted family member or friend.

Here’s what to look for in a password manager:

  • One that can sync across multiple PCs and multiple browsers.
  • Has a smartphone app that syncs with the cloud.

Risks:

  • The security of password managers is almost a nonissue at this point, as most of them have such high levels of encryption that are extremely difficult to crack.
  • The real vulnerability that you will experience when using a password manager is with your personal computer and any malware that can take a screenshot or keystrokes. Make sure that you are running virus scans and update your antivirus software to prevent infections.
  • Another thing that you can do is to use the onscreen keyboard to enter passwords instead of the keyboard itself. This helps you to avoid tracking.