This week, we sat down with our managing partner, Mike Skinner, to get his opinion on basic cyber hygiene when it comes to protecting yourself while on the internet. Below we discuss password best practices, most commonly seen mistakes, the importance of VPN, and why MFA matters.
What is the best way to protect your passwords?
The best way to keep your passwords safe is to use long, complex passwords. Using complex passwords with at least eight characters is a good rule of thumb.
For administrator or privileged accounts, we recommend using longer passphrases with 14 to 16 characters or more. It's also a good idea to utilize a passphrase instead of a standard password such as “Mary had a little lamb.” Another way to protect your password is to change it at least every 90 days, and avoid using incremental passwords such as Summer1, Fall2, or Spring3. These are easy for password-cracking tools to identify and render your password vulnerable. A third best practice is to avoid reusing the same password on multiple sites or systems.
Never share your password with anyone, even someone from your IT department. Use a password manager. Password managers are great tools that are either web-based or desktop applications that store your password in an encrypted file.
Many organizations use multi-factor authentication (MFA) tools. What is MFA, and why do organizations rely on it as a layer of password security?
Multi-factor authentication or MFA is a security technology that requires multiple methods of identification to verify the identity of the user attempting to log into a system or perform some sort of function on the system. Factors commonly used in MFA in addition to your password are codes sent via SMS text messages, phone calls to a known good number, tokens from an authenticator application, and biometrics like fingerprints.
Organizations rely on multi-factor authentication because it adds an additional layer of defense against a cybercriminal trying to gain access to your systems. A bad actor has to have not only your password and username but also access to that additional authentication factor to gain access to that system.
How does VPN come into play with protecting your password and identity online?
VPNs, or virtual private networks, are an essential aspect of your cyber security posture. A VPN connects your computer to another network over an encrypted tunnel. That means anything you send while connected to that VPN is encrypted and cannot be viewed by an outside party.
VPNs are important when you're using public networks. You never know who is watching the information that you're sending over a public network. VPNs help protect your password, your identity, and other information such as what websites you visit or applications you use. These are very important to use, particularly when you're working out of the office or away from your home network.
If you think your password has been compromised, what do you do?
If you believe your password has been stolen, and it's for your business or company user ID and password, the first thing you should do is notify your IT department. Let them know that you suspect your password has been compromised and change your password right away.
Change your password to the system that was compromised, and if you used the same password on other systems (This is why unique passwords are important!), change it there as well. Also, if it was a user account for a bank website or other financial application, definitely check the activity on your bank website or in that financial application to make sure no unauthorized activity occurred after your password was potentially compromised.
What is the most frequent mistake you see with passwords?
The most frequent mistake that we see with passwords is password reuse. Password reuse occurs when a user uses the same password across multiple sites or applications. This is very risky. If any one of those applications or websites gets breached, the threat actor now has the password you use there. If you use it on other sites, there's a high likelihood that the threat actor is going to be able to access that site using the same username on the site that was actually breached.
It's also worth noting that this sort of password leak has happened in several headline data breaches, with software as a service providers' and cloud applications being compromised. Those stolen login credentials are then used on other websites to gain access to additional platforms. It's critical to use a different password for all applications and web pages you visit.
Next week, we will be back with Brad Pierce, Director of Security Operations, to discuss phishing. We hope you’ll join us then. For now, do your part. #BeCyberSmart