Yup. We moved everything to the cloud. We store our data there. We run our applications there. We send our customers there. We are safer and have reduced our liability of business interruption due to a cyber attack greatly.
All we have to do is remember 8 different logins and passwords. Oh, and best practices say that all passwords need to be different and super complex.
Here is what really happens. We use the same one or two passwords everywhere and sometimes we are lucky enough to remember what site we used what password on. If not, we go through the “reset my password” process over and over.
Eventually, we get tired of this and create a document or a bunch of sticky notes with all the sites, usernames, and passwords and refer to it when we need to access the application we intend to work on.
The end result is we have created an unsecured document that holds the keys to the new security fortress we just created. If the bad guys get their hands on it, we are out of luck.
Here are three things you can do to move in a safer direction:
Adopt the use of complex password phrases
Use Password Management Software
Use 2 Factor Authentication everywhere you can
Complex Password Phrases:
Let’s follow best practices and create a new password.
Think of a popular phrase that you will easily remember. For this example, I chose the quote by Abraham Lincoln:
“Nearly all men can stand adversity, but if you want to test a man’s character, give him power.”
Use the first letters of the words to create a gibberish-looking password.
New Password: namcsabiywttamcghp
This password is already a lot stronger than 70% of the passwords that other people use. We can make it even stronger by capitalizing the first and last letters and by replacing the letters with special characters.
New Password: N@mcs@b!ywtt@mcghP
At this point, it will take a computer the size of a small building to crack the password within the month. To make the password even more secure, we will add numbers to the first part and the last part of it as instructed earlier.
Let’s say my birth date is November 30, 1985. If could turn this date to its numerical form: 11-30-85. We could then divide it into two groups containing three digits each: ‘113’ and ‘085’. We will add these groups of numbers to each end of our new password.
New Password: 113N@mcs@b!ywtt@mcghP085
Now we have a password that contains 24 characters. It contains small and big letters. It has numbers and special characters to make it harder for machines to crack it. If your passwords for all your accounts have these security features, it will take the average hackers years to crack it using the brute force and dictionary methods.
But let’s be honest, this seems like a bit of overkill doesn’t it?
We know complex passwords are important, but there is no way, even following the method above, that we can keep track of all this right? Time to start writing things down huh? Enter password management software to the rescue!
Password Management Software:
Good old Wikipedia has this to say about Password Management Software.
“A password manager assists in generating and retrieving complex passwords. The password can be stored in an encrypted database or calculated on demand. … Password managers typically require its user to create and remember one “master” password to unlock and access to any information stored in its database.”
So you now have to keep track of one User ID and Password to have access to all the other ones. A good Password Management Solution will do the following:
Generate complex passwords for you
Store the User ID’s and Passwords securely
Track what sites you are visiting and automatically populate the User ID and Password combinations securely
I am not currently using one of these tools. I’m doing the pore man’s version. I use a google doc that is secured behind my Gmail User D and Password but I layer 2 factor authentication down on top of it. The down side with my solution is how time consuming it is to keep the document up to date manually as well as the fact I have to copy and paste everything. It’s better than nothing, but I am moving towards a more inclusive solution with a real Password Management Platform.
LassPass is my current choice. It is the highest rated password management tool I could find and it seems to do everything I need. It’s free unless you want to have other people have access to your passwords. I’ll most likely head this way as I often need to share that kind of information.
2 Factor Authentication
Even with complex passwords and the use of password management software, I am still not safe. There is still a chance I get socially engineered to voluntarily hand over my passwords. For example, I might be the target of a Phishing Attack where I get a fake email from my boss, or bank, or some other trusted source asking for the User ID and Password for blah blah blah. Now I know I’m smart and I would NEVER fall for this. But we are often busy and distracted. When you are in the middle of a busy day at work and there are 100s of things to do, you just pull the trigger to get one less thing on your list. It happens and it’s just being human.
Enter 2 Factor Authentication to the rescue! 2 Factor Authentication is nothing more than having a second control on your User ID other than your password. It could be a thumb print, a FOB with a constantly changing number linked up to a server, or a smart phone application. The list goes on.
Because I personally use Google and Microsoft products heavily, I decided to go use both of their 2 factor authentication solutions. Both are free, both are easy to set up, and both are linked to my phone. When I log into Gmail, I get a message on my phone saying “Are you trying to log in to Gmail? Yes or No”. I hit yes and get logged in. Same thing is true with Microsoft. The good news is that more and more applications have this kind of solution and in most cases, it’s free.
The big take away.
Stand alone User IDs and Passwords are the worst possible way to secure your online world. They are easy to break and easy to social engineer. Protect yourself with complex passwords managed by a software product and all locked behind a 2 factor authentication solution. Do this, and you can operate in the online world safely and securely.
Need some help setting all this up? Schedule a short call and let’s sort it all out.