by Loïc Calvez, Co-Founder + CEO, ALCiT
With some of the recent event in the news (CRA anyone?), it appears that a refresher on password best practices is in order. First, let’s state the obvious: passwords suck; they are an ill adapted solution to a very complicated problem (asserting identity). The good news: better options exists and they are getting better everyday.
Side note for businesses, no matter how good your password policy is, users will find a way (voluntarily or not) to create weak passwords. When we perform password audits, we usually can crack (decipher) 5-10% of passwords within hours. So yes, this applies to you too. (More reading about password strength and cracking can be found here). So keep reading.
Some myth busting:
Myth #1: I use a super strong password, so I can use it everywhere: false. Password re-use is probably the biggest issue of all (or at least tied #1 with very bad passwords such as 123456). What happens: some random website gets compromised (PWN3D for the cool kids out there), the attacker gets the list of logins and password and retries them against every other web property they want to attack. So, if you have the same passwords in two places, they now have access to two of your profiles and so on.
Myth #2: You should never write down passwords: false. I am going to be a bit controversial here, but yes, in many cases, having a very strong password that is unique and that you write down in your little secret handbook is not that bad of a solution. To be clear, I am not suggesting to write your password on a post it and glue to the side of your screen in an office open space. Remember what you are protecting from: thousands (millions?) of attackers trying to get into your account from the comfort of their lair, so a handbook locked in your office drawer is pretty efficient against that. Proposed upgrade A, use an encrypted spreadsheet, you only have to remember one password and the others are protected. Proposed upgrade B, use password manager such as LastPass or Dashlane (caveat emptor, your mileage may vary) to generate a manage strong passwords on your behalf.
So what is the real solution?
The future is looking good, the “password less” world is becoming real and some good options are starting to emerge for limited applications. The best solution for today that works mostly everywhere: “Multi Factor Authentication”, which really means using multiple (at least two) ways to confirm you are YOU (more here). The two most common ones today are: “password + authenticator app” and “password + text message”. Both of these fall into “something you know”: the password and “something you have”: a smartphone. This makes it that if someone only has your password they cannot get in and if they only have your phone, they cannot get in, they need both. If you have a choice, you should use the authenticator app (like Microsoft Authenticator or Google Authenticator) over text messages, but that’s a discussion for another day.
Step One: Activate Multi Factor Authentication (MFA) on all your important accounts: bank, email, utilities… Then activate it everywhere else you have some personal information about you: social media, loyalty programs… If any service you use contains important information about you and does not have an MFA option, you should strongly consider deleting your profile and taking your patronage somewhere else.
Step Two: And of course, make all those passwords unique, they do not have to be completely different (ideally, they should be), but different enough that if one of your password is compromised, they will not be able to use it to gain access to another one of your accounts (although they will now be protected by MFA since you followed step one, it still better to avoid the risk of someone having one of your factors).
Thanks for your time and stay Cybersecure!