Part of a blog series from the CoSN’s Cybersecurity Committee in preparation for and tied to Cybersecurity Month.
Passwords have been part of computing since the early beginning. Since the beginning passwords have been fraught with use poor choice and hygiene. Having poor passwords has been in pop culture for decades, from the movie “Hackers” talks about the most common passwords, and “Clear and Present Danger” has an FBI analyst cracking a password saying “People like to use birthdays.”
The two movies I have referenced are nearly 30 years old and from then till now, most user’s passwords have not become more secure. In the last three decades, the industry has developed strategies to increase security that require more complex passwords, limit the length of time the password is allowed, and prevent the reuse of the previous password. All of these strategies try to mitigate the inherent flaw with a single password.
That flaw is we choose the password. All users build passwords with a common association. We leverage memory strategies that brains have built over a lifetime. The problem with these strategies is that we will reuse or use variations of the same password. We find one we like, and we use it over and over again. Reusing a good password creates a skeleton key to our digital life. One key that can open all of our accounts.
In the past, a bad actor had to perform an extensive study of our lives and details to start guessing a password or do a brute force. With the advent of major service providers having their systems breached, all bad actors have to do is use breached data to find your common password or skeleton key. You may think you are ahead of the game by using varying your password. It only takes two or three breaches to be combined, and your variation method can be deciphered.
To continue to battle the vulnerable password, the industry has introduced Multi-Factored Authentication (MFA), biometrics, and conditional access. These services still require a strong password. Why would we want to use a weak password because we are using MFA? Using a weak password as part of MFA just means instead of having two locked doors to get into your secure area, you have one door unlocked or just latched with a weak latch and rely on only one lock. It’s not as secure as you could be.
7 years ago, I took a deep look into my digital hygiene, took into account all of my points above, and concluded that my password usage was lacking. I decided to research what I was doing and find practices or tools to make me a more secure user. My conclusion was implementing a password manager for my personal and professional life. Now I am not going to tell you which one I choose because it does not matter. What matters is the password manager, along with using a random password generator, has allowed me to improve my digital security greatly. All major products will give you the same results.
Using a password manager with generated random passwords, I eliminated two of the major issues that have plagued users. By using the password generator, I eliminate a password that is common to my personal data, experiences, or likes. Employing a password manager, I do not reuse passwords for any two websites or services. I have now compartmentalized my digital life. If one service is breached, the breach stops with that service. Combined with MFA, my digital life has some of the strongest security currently employable.
I encourage you to start today if you have not made this move.
I will end this blog post with some practices that helped me.
- Your master password needs to be long, complicated, and rememberable. I like the nonsequitur question-and-answer format. You make a question and then you have an answer that is not related in any way to the question. I also add symbols and numbers where appropriate. An example of this technique is “Who is buried in Grant’s Tomb? I like 3 flavors of ice cream. Chocolate, Strawberry, and Mint”
- Set the password generator to generate passwords of 20 characters or larger. (some sites may have a smaller maximum length, then use their max length.)
- Don’t be shy about using delimiter symbols such as colons, semicolons, or commas in your password. When a large breach has generated huge data files, the bad actors need to process that data, and with a delimiter in your password, your password will be damaged in their processing.
- Take full advantage of extra features in your password manager such as secure note storage, secure password and note sharing, and cross-platform synchronization.
- Absolutely use MFA anywhere you can, and I prefer hardware keys or authentication apps over the use of SMS.
Author: William Brackett, Director of IT Services, Oak Park ESD 97, Oak Park, IL
Published on: October 10, 2023
CoSN is vendor neutral and does not endorse products or services. Any mention of a specific solution is for contextual purposes.