Help! Logging into my applications sucks!

Yup.  We moved everything to the cloud.  We store our data there. We run our applications there. We send our customers there.  We are safer and have reduced our liability of business interruption due to a cyber attack greatly.

All we have to do is remember 8 different logins and passwords.  Oh, and best practices say that all passwords need to be different and super complex.

Here is what really happens. We use the same one or two passwords everywhere and sometimes we are lucky enough to remember what site we used what password on.  If not, we go through the “reset my password” process over and over.

Eventually, we get tired of this and create a document or a bunch of sticky notes with all the sites, usernames, and passwords and refer to it when we need to access the application we intend to work on.

The end result is we have created an unsecured document that holds the keys to the new security fortress we just created.  If the bad guys get their hands on it, we are out of luck.

Here are three things you can do to move in a safer direction:

  1. Adopt the use of complex password phrases

  2. Use Password Management Software

  3. Use 2 Factor Authentication everywhere you can

 

Complex Password Phrases:

Let’s follow best practices and create a new password.

Think of a popular phrase that you will easily remember. For this example, I chose the quote by Abraham Lincoln:

“Nearly all men can stand adversity, but if you want to test a man’s character, give him power.” 

Use the first letters of the words to create a gibberish-looking password.

New Password: namcsabiywttamcghp

This password is already a lot stronger than 70% of the passwords that other people use. We can make it even stronger by capitalizing the first and last letters and by replacing the letters with special characters.

New Password: N@mcs@b!ywtt@mcghP

At this point, it will take a computer the size of a small building to crack the password within the month. To make the password even more secure, we will add numbers to the first part and the last part of it as instructed earlier.

Let’s say my birth date is November 30, 1985. If could turn this date to its numerical form: 11-30-85. We could then divide it into two groups containing three digits each: ‘113’ and ‘085’. We will add these groups of numbers to each end of our new password.

New Password: 113N@mcs@b!ywtt@mcghP085

Now we have a password that contains 24 characters. It contains small and big letters. It has numbers and special characters to make it harder for machines to crack it. If your passwords for all your accounts have these security features, it will take the average hackers years to crack it using the brute force and dictionary methods. 
 

But let’s be honest, this seems like a bit of overkill doesn’t it?

We know complex passwords are important, but there is no way, even following the method above, that we can keep track of all this right?  Time to start writing things down huh?  Enter password management software to the rescue!

Password Management Software:

Good old Wikipedia has this to say about Password Management Software.

“A password manager assists in generating and retrieving complex passwords. The password can be stored in an encrypted database or calculated on demand. … Password managers typically require its user to create and remember one “master” password to unlock and access to any information stored in its database.”

So you now have to keep track of one User ID and Password to have access to all the other ones.  A good Password Management Solution will do the following:

  1. Generate complex passwords for you

  2. Store the User ID’s and Passwords securely

  3. Track what sites you are visiting and automatically populate the User ID and Password combinations securely

I am not currently using one of these tools.  I’m doing the pore man’s version.  I use a google doc that is secured behind my Gmail User D and Password but I layer 2 factor authentication down on top of it.  The down side with my solution is how time consuming it is to keep the document up to date manually as well as the fact I have to copy and paste everything.  It’s better than nothing, but I am moving towards a more inclusive solution with a real Password Management Platform.

LassPass is my current choice.  It is the highest rated password management tool I could find and it seems to do everything I need.  It’s free unless you want to have other people have access to your passwords.  I’ll most likely head this way as I often need to share that kind of information.

2 Factor Authentication

Even with complex passwords and the use of password management software, I am still not safe.  There is still a chance I get socially engineered to voluntarily hand over my passwords.  For example, I might be the target of a Phishing Attack where I get a fake email from my boss, or bank, or some other trusted source asking for the User ID and Password for blah blah blah.  Now I know I’m smart and I would NEVER fall for this.  But we are often busy and distracted.  When you are in the middle of a busy day at work and there are 100s of things to do, you just pull the trigger to get one less thing on your list.  It happens and it’s just being human.

Enter 2 Factor Authentication to the rescue!  2 Factor Authentication is nothing more than having a second control on your User ID other than your password.  It could be a thumb print, a FOB with a constantly changing number linked up to a server, or a smart phone application.  The list goes on.

Because I personally use Google and Microsoft products heavily, I decided to go use both of their 2 factor authentication solutions.  Both are free, both are easy to set up, and both are linked to my phone.  When I log into Gmail, I get a message on my phone saying “Are you trying to log in to Gmail?  Yes or No”.  I hit yes and get logged in.  Same thing is true with Microsoft.  The good news is that more and more applications have this kind of solution and in most cases, it’s free.

The big take away.

Stand alone User IDs and Passwords are the worst possible way to secure your online world.  They are easy to break and easy to social engineer.  Protect yourself with complex passwords managed by a software product and all locked behind a 2 factor authentication solution.  Do this, and you can operate in the online world safely and securely.

Need some help setting all this up?  Schedule a short call and let’s sort it all out.

Adam Anderson

Adam Anderson is the author of Built to Survive: A Business Person's Guide on How to Recover and Thrive After a Cyber Attack. Adam’s 15 years of entrepreneurial startup experience and his knowledge Enterprise Cyber Defense gives him a window into what’s wrong with communication between large and small companies. He combined this knowledge and the good works from the National Institute of Standards and Technology’s Cyber Security Framework to co-author the book “Small Business Cyber Security”. This book was later turned into an online class by Clemson University. Adam has been active in peer advisory boards for small business CEOs. He took this experience and co-founded a peer advisory board for Chief Security Officers of fortune 500 companies. This mix of small and large businesses has positioned Adam as one of the few people in the world to understand the complete supply chain of cyber security.
Posted in