Do you use the same password for every website you visit? That practice is convenient, quick, and easy to remember. However, convenience, speed, and ease of operations conflict with information security.

For decades now, passwords have been a component of information security. Passwords are supposed to protect user accounts, but they have proven to fail. Garnet River’s security experts stress that, as a society, we need to move from passwords to multi-factor authentication (MFA) because no single form of authentication is adequate. There needs to be a cultural shift away from passwords as the sole guardians of our online accounts.

The information security industry recommends at least two of these authentication factors:

  • Something you have (such as a mobile phone or Smart Card)
  • Something you know (such as answers to security questions or a password)
  • Something you are (such as your fingerprint or retina scan)
  • Somewhere you are (such as your GPS location)

For example, the answer to a personal security question and a cell phone, which can receive a one-time PIN by SMS, are two factors of authentication. A biometric, such as your fingerprint or facial scan, and your GPS location would also serve as two factors. Combine more factors to meet higher security requirements.

The use of multi-factor authentication prevents replay attacks, foils line sniffing, and eliminates the possibility of shared accounts.

MFA also relaxes the standards of password length and complexity because it provides additional security of a second (or third) factor. The federal government recommends the use of the PIV2 card (Personal Identity Verification) for the second factor. The U.S. military uses the Common Access Card (CAC), and government contractors can use the Personal Identity Verification-Interoperable (PIV-I) card.

Go Passwordless

For organizations looking for ways to solve customer support overhead of password resets and to provide a secure yet simple alternative to passwords, consider Garnet River’s Passwordless Login solution.

Organizations can replace passwords entirely with a passwordless, one-step login system that transforms your login page and eases access for your users.

  • No more forgotten passwords.
  • No need to think of a complex password.
  • No more password sharing.
  • No password to phish.
  • Reduce IT support cost on password management.

Ask us how we can integrate the Passwordless Login solution with your system and help your business.

Until that paradigm shift comes, you will likely be prompted to use passwords on many outside websites and apps. Poorly constructed passwords can compromise systems and your company’s network. Therefore, if you must use passwords, here are some recommendations.

Use the maximum password length allowed and use all available characters

If a site or an app suggests that you create a password with “up to 12 characters”, then use 12. Not that long ago, six-character and eight-character passwords sufficed. However, code-cracking tools have raised the standard. Strong passwords should contain:

  • At least ten (10) alphanumeric characters;
  • Both uppercase and lowercase letters;
  • At least one number (for example, 0-9);
  • At least one special character (for example: !$%^&*()_+|~-=\`{}[]:”;'<>?,/).

These guidelines combine to add complexity to the final product, which slows the brute-force password cracking attempts. For example, a nine-character password with one number and eight lowercase letters would take a computer less than an hour to crack, but a 10-character password with two numbers, one uppercase letter, six lowercase letters and a special character would take a computer about six years to crack. There are websites where you can test sample passwords to compare complexity, but we recommend against inputting your own real passwords.

Use a password manager for all your devices

PC Magazine and CNET have rated what they consider the best password managers on the market. A master password that is encrypted and protected by multifactor authentication keeps your user profiles for all your sites in one place so that you can reach them from desktop, laptop, tablet, and mobile devices without having to remember your passwords. The password manager you choose can also create random passwords for you.

Create your own password database

If a third-party password manager makes you suspicious, you can create your own password database, preferably using open source software, then encrypt it and share it to yourself (Box, Dropbox, OneDrive, Google Drive, etc.) for access on all your devices.

Do not use words found in any dictionary

Criminals use automated programs that run entire dictionaries against your password in practically no time. Once they have cracked your password, they can gain access to your organization’s information. Criminals know that you substitute letters for numbers, so “passw0rd” is the same as “password” because the zero is a variation of “o”.

You would think that It is common sense not to use simple passwords. Despite the constant warnings about selecting easy-to-guess passwords, people still use them. CNET, USA Today and other organizations have reported that SplashData, which annually publishes a list of the 100 most common passwords, includes these in its top 20:

  • 123456
  • football
  • Iloveyou
  • admin
  • starwars
  • password1

Change your passwords frequently and always after a breach

Experts at Garnet River recommend changing your passwords every 45 to 90 days and after publicized data breaches. Changing your passwords often increases your security, and changing them after a data breach is wise because your passwords could be caught in the net of passwords that criminals stole from large organizations. If you use the same password for multiple sites, the information the criminals stole from you acts like a master key.

Never use the same password to access another system

This tip goes back to the original message about convenience vs. security. We have all done it. We created a password several years ago that looked secure at the time. As we created new profiles on Amazon, with our bank, with our credit card company, and for our 18th email address, we reused the same password.

Using the same password for multiple accounts increases your risk because a breach of a single account potentially leads to the breach of all of your accounts. When a hacker knows your username and password on one service, he or she will try the same login information on other services.

Also, do not use the same password for your work computer and your home computer. This is a security risk for both yourself and your organization.

Do not enter your credentials on a website based on a link in an email

This is classic phishing. If you open emails, links, or attachments from strangers and then click a link to a website where you enter your credentials, bad actors can gain access to your accounts. They can also change your password to lock you out, start using the account as their own, and sell your info to other bad actors. According to Inspired eLearning, more than 90% of advanced cyberattacks begin with email, and the most popular type of phishing email requests the user to update a password.

Do not give your password to anyone, including your IT administrators

Your workplace administrators do not need your login information because they already have access to your account info. Do not share your usernames, passwords, or other computer/web access codes with anyone.

Use a passphrase instead of a password

A passphrase is like a password, but it is longer and constructed from multiple words. Strong passphrases should follow password construction standards (uppercase and lowercase letters, numbers, and special characters). For example, MyFavoritePlayerWears#76!