Passwords are the dental floss of the internet. They take precious time to use, everyone hates them, they cause mild discomfort, and the consequence of negligence could spell doom — not immediate doom, but eventual, inevitable doom. Oh, and by the way, China knows your password! Your favorite one. The really complex one you made up 6 years ago that combines your sister’s phone number, your son’s birthday, and the exclamation point at the end. They also know your other favorite one: “Sweetie.”
Last week I gave you a tripwire you could use to foil a ransomware attacker with a strong password. Continuing the theme, this week we discuss the importance of password “hygiene.” Password hygiene involves the strength, uniqueness, and practices of passwords.
Compare password hygiene to dental floss hygiene – make them long, change frequently, and don’t share. When it comes to length, longer = stronger. In fact, length is more important than complexity. So, instead of using a complex array of gibberish letters, numbers and symbols, the best practice is to create a passphrase.
A passphrase is a list of unrelated common words. It is easier to for you to remember and harder for a computer to crack. In this example from www.xkcd.com/936/, the password Tr0ub4dor&3 is difficult to remember but can be cracked in 3 days. However, if we tie four common unrelated words together like “correct horse battery staple”, it would take 550 years to crack!
You may question, “If I create one strong passphrase, then could I use it for all my accounts be safe?” Well, not exactly. That’s where the second part of “treat-passwords-like-dental-floss” comes in. Don’t share.
Today, you have so many accounts with passwords to remember. You have your email, company login, bank, investment, social media, gaming … the list goes on. Major breaches like LinkedIn and DropBox have exposed your username (typically your email address) and password. The information from these breaches eventually ends up on the Dark Web, available for any cyber-criminal to peruse.
To see if your email address is on the Dark Web, you can check it at www.haveibeenpwned.com. A trusted advisor can offer Dark Web checks for your business domains.
When the hacker acquires your credentials, they will test them against popular websites hoping you reused the password. Maybe you have a Wells Fargo or Merrill Lynch account with the same username and password. If they succeed, the consequences could be disastrous.
You may want to reconsider letting your browser manage your passwords. The saved password feature of browsers is great for ease of use for you — and a cyber-criminal. These passwords, stored in clear text in the browser, can easily be stolen.
Since there are so many long passwords to remember, using a password manager can ease your password woes. A password manager can create, encrypt, store, and autofill your passwords for multiple accounts and make it harder for hackers to get them. Password managers autofill can also protect you from social engineering attacks that leverage a cloned website. Some recommend free managers are: Apple Key Chain, Bitwarden and KeePass.
You may hate to floss. You may hate password hygiene. But until there is something better, consider the consequences.
Thomas Jewkes is an Assistant Professor of Practice in the Cyber Operations program at the University of Arizona College of Applied Science and Technology (CAST) in Sierra Vista, and founder of cybereyeaw.com.