Passwords are used to protect sensitive online data, including medical records, bank accounts, legal information, and more. Despite the importance of passwords, however, many online users neglect to follow best practices for passwords, putting them – and their companies – at risk for a data breach. As a result, 60 percent of data breaches in 2018 involved weak or stolen passwords, according to the 2019 Data Breach Investigations Report from Verizon.
Until online users take passwords seriously and develop secure password habits, this will remain the trend, which is why it’s important to be aware of the latest security recommendations, like those provided by the National Institute of Standards & Technology (NIST). We’ve been studying up on NIST’s recently released Digital Identity Guidelines, and have come up with following list of do’s and don’ts for online passwords:
Don’t use complicated passwords that consist of random letters, numbers, and symbols. Not only are these passwords difficult to remember, modern password-cracking technology is now able to bust these codes quickly and easily.
Do use passphrases, which are “memorized secrets” consisting of lyrics, words or other text to authenticate your identity. These are typically longer than traditional passwords, easier to remember and much less likely to be cracked by a system. Also consider what types of data your passphrase will protect and adjust the complexity accordingly.
Don’t use the same password across multiple platforms. This is a common mistake we see, and while it may seem convenient, it actually poses a big risk to your data. If a single website is hacked that contains your information and you use the same login credentials on other platforms, the data found on those sites could be compromised as well.
Do use a reputable password manager. Choosing to store all of your passwords in an encrypted password manager will save you the hassle of having to remember your password for different sites. It’s also important to update your passwords regularly, especially those that protect sensitive data, such as online bank accounts.
Don’t store passwords in your browser. This is especially important in the workplace as someone could use your computer and easily gain access to a number of different sites or online accounts.
Do enable two-factor authentication. Unfortunately, relying solely on passwords is no longer enough in today’s threatening cyber environment. By requiring two-factor authentication, such as a password and a one-time passcode sent by SMS text message, you add an extra layer of security between you and an unauthorized user.
Don’t share passwords. In a recent survey of 1,507 U.S. adults, TechRadar found that one third (34%) said they share passwords or accounts with their coworkers. When you give your password(s) to someone else, you’re no longer in control of protecting your data.
Do screen commonly used passwords. We recommend that organizations gather all of the hashes from their company’s existing passwords and screen them against common passwords that are easily hacked. We often find that at least 30 percent of current company passwords can be compromised.
By following these simple tips – and encouraging your employees to do the same – you’ll be able to improve your password habits and protect your sensitive data from unauthorized users.
For user awareness training on passwords, contact Asylas.