An organization’s infrastructure is only as secure as the passwords protecting it. Poor password practices make it easy for hackers to access sensitive information, which is especially damaging in the case of financial data. Strong, unique passwords are essential for any account, so most organizations have established guidelines for creating passwords. These guidelines should generally focus on making passwords easy to remember but hard to guess. The following five tips will help make your passwords more secure.
1. Use multi-factor authentication.
Multi-Factor authentication (MFA) is an authentication method that requires more than one piece of evidence, or factors, to obtain access to a computing resource. These factors fall into three categories consisting of evidence, knowledge and inherence. In the MFA model, evidence is something you have, knowledge is something you know, and inherence is something you are.
2. Ensure your passwords are unique.
It’s tempting to use the same passwords for all of your accounts. However, this practice is insecure because a single compromised password can allow hackers to access multiple systems. This problem is clearly illustrated by the successful large-scale ataxic hackers have recently performed against e-mail servers resulting, Resulting in the compromise of millions of e-mail addresses and corresponding passwords. Many of these account holders used their e-mail address and the same password for all of their accounts, resulting in the total compromise of their personal information.
3. Avoid phishing scams.
A phishing scam is a fraudulent attempt to obtain information by impersonating a trustworthy entity. This technique generally involves an attacker sending an email purporting to be from an organization that the recipient does business with. The message requests personal information in a way that seems believable to the recipient.
The most effective method of identifying a phishing scam is to review the sender’s email address and ensure the message is from the trusted party. This step requires caution because many phishing scams use addresses that are virtually identical to that of the trusted party. In some cases, the fraudulent email address uses characters that are very similar to those in the trusted party’s address.
4. Make your password a phrase.
Passwords have historically consisted of a single word, but a phrase is much harder to crack. This is particularly true when the attacker is using every possible combination of characters to guess the password, an approach commonly known as a brute force attack. Increasing the length of your password is effective against brute force attacks because this practice exponentially increases the number of character combinations. Additional best practices for using a phrase as your password include ensuring that it doesn’t appear in published literature and is grammatically incorrect.
5. Install a password manager.
A password manager is a service that automatically generates strong passwords and stores them for you. The service encrypts the passwords and stores them in a centralized location that the user can access with a master password. Additional features of password managers include synchronizing new passwords across multiple devices and preventing the user from using the same password for multiple accounts. Dashlane and NordPass are both popular general-purpose password managers, while RoboForm is best suited for filling out forms.
Detect compromised passwords.
A variety of sites are available to help you ascertain when your password has been compromised. Have I Been Pwned is by far the largest site of this type, with three million subscribers and over nine billion compromised accounts. Users enter an email address to obtain the details of any data breaches involving that address. This site doesn’t store passwords to prevent the future compromise of accounts.
Password Day flickr photo by Worlds Direction shared into the public domain using Creative Commons Public Domain Dedication (CC0)