Passwords are used to protect sensitive online data, including medical records, bank accounts, legal information and more. Despite the importance of passwords, however, many online users neglect to follow best practices for passwords, putting them – and their companies – at risk for a data breach. As a result, 81 percent of data breaches in 2016 involved weak or stolen passwords, according to the 2017 Data Breach Investigations Report from Verizon.
Until online users take passwords seriously and develop secure password habits, this will remain the trend, which is why it’s important to be aware of the latest security recommendations, like those provided by the National Institute of Standards & Technology (NIST). We’ve been studying up on NIST’s recently released Digital Identity Guidelines, and have come up with the following list of do’s and don’ts for online passwords:
Do use passphrases, which are “memorized secrets” consisting of lyrics, words or other text to authenticate your identity. These are typically longer than traditional passwords, easier to remember and much less likely to be cracked by a system. Also consider what types of data your passphrase will protect and adjust the complexity accordingly.
Don’t use the same password across multiple platforms. This is a common mistake we see, and while it may seem convenient, it actually poses a big risk to your data. If a single website is hacked that contains your information and you use the same login credentials on other platforms, the data found on those sites could be compromised as well.
Do use a reputable password manager. Choosing to store all of your passwords in an encrypted password manager will save you the hassle of having to remember your password for different sites. It’s also important to update your passwords regularly, especially those that protect sensitive data, such as online bank accounts.
Don’t store passwords in your browser. This is especially important in the workplace as someone could use your computer and easily gain access to a number of different sites or online accounts.
Do enable two-factor authentication. Unfortunately, relying solely on passwords is no longer enough in today’s threatening cyber environment. By requiring two-factor authentication, such as a password and a one-time passcode sent by SMS text message, you add an extra layer of security between you and an unauthorized user.
Don’t share passwords. Pew Research found that at least 41 percent of Americans have shared a password. When you give your password(s) to someone else, you’re no longer in control of protecting your data.
Do screen commonly used passwords. We recommend that organizations gather all of the hashes from their company’s existing passwords and screen them against common passwords that are easily hacked. We often find that at least 30 percent of current company passwords can be compromised.
By following these simple tips – and encouraging your employees to do the same – you’ll be able to improve your password habits and protect your sensitive data from unauthorized users.
Alysia Horn is operations manager at Asylas, a security, privacy and risk consulting firm based in Nashville, TN. With nearly 10 years in the computer forensics and InfoSec industry, Alysia’s experience ranges from internal fraud and HR investigations to information security monitoring and incident response. You can reach her at firstname.lastname@example.org.