Six steps to better passwords and account security
Who’s to say common advice is the best? When the stock market was crashing in 2008 the common advice was to hold because it would eventually come back. Would it not have been better to get out early or before the loss was huge in order to buy at the bottom and had a great gain on the way back? I argue that common password advice can be challenged. This article will challenge some password advice and confirm others.
Complex passwords are too hard
Before my cybersecurity career I found myself being overwhelmed with having sooooo many unique complex passwords. When I learned about password managers, e.g. LastPass, I quickly jumped on it. Those complex passwords are so difficult to remember and having a tool to remember them for me was great. Little did I realize I was reducing the security provided by my complex passwords by having a single attack surface. How is one to remember unique complex passwords for every web site?
Lets say you have an online gym membership account. You could pick words that remind you of the gym but are not easy to guess. You can capitalize at least one character in each word. You can use a special character to delimit each words. You can throw in a number. Hey, I just added lowercase and uppercase letters, a number, special character, and made it more than eight characters. Sounds like a good password to me.
Unique usernames… that’s different
Everyone emphasizes on having a unique password for every password. It’s good advice and I do recommend it. I have seen little advice on keeping usernames unique.
But that’s more stuff to remember!
Not only do you have to remember a unique password but now you will have to remember a unique username. That sounds like a lot of work. Why am I suggesting it? It will help keep your account secure.
Lets conjecture that you want to have the same password or a similar password for each web site. My password will have “123qwe” as the first six characters for each web site. If you use “djoe” as your username for each web site, every account will be hacked when one account is hacked. But what if the username for each web site was different. For example, I joined website #1 on 1/1/2016 and set my username to “djoe010116” and I joined web site #2 on 3/7/2017 and set my username to “djoe030717”. When web site #1 was hacked, web site #2 will be much less likely to be hacked.
Hint: If the website uses an email address for the username, you may still be able to use the plus sign to differentiate the email. For example, instead of using email@example.com you can use firstname.lastname@example.org. You will still receive emails at email@example.com. Not all websites accept the plus sign though.
Checking whether your password has been compromised
This publication introduced me to https://haveibeenpwned.com/. You can check if your password is related to a data breach. Type your password in the online form and see if your password is known to hackers. (Start with passwords for websites you care very little about.) Download the password database, search passwords for important accounts and start changing them.
Before you decide on a new password, check if it is known by Pwned.
Writing down your passwords can be secure
I mentioned password managers. As convenient as they are, they are also a cybersecurity threat that needs to be managed. Maybe you choose to use a password manager for less important accounts, but use a paper password journal for important accounts. The great thing about paper is it can never be hacked. It can be physically stolen, but you can lock it in a cabinet, hide it in a non-obvious location, add a facade to it, or experiment with invisible inks.
I was at a cyber security conference where a keynote presenter showed a video of a password journal infomercial. Everyone got a good laugh as they presenter joked about the silliness of the idea. Later I realized a password journal is the lesser of two evils when compared to a password manager, which can be hacked.
Multi-factor authentication gives a warm fuzzy
When you log into a web site, you may be sent a text message or asked to enter a code from a physical electronic device or to accept a request from an app. If you have done this, then you are using multi-factor authentication (MFA). This makes us feel more secure and in most situations does make us more secure. If someone steals your username and password, they must also intercept the text message, steal the electronic device, or log into your app as well. Although it is possible for a sophisticated hacker to steal additional factors, this is more work for them and many hackers want an easy steal.
At a minimum, turn on MFA for your bank accounts and email accounts.
Changing passwords frequently is annoying
The current advice is to change your password at least every 90 days. The shorter periodicity for changing password, then the less time a hacker has from finding a password and being able to use it successfully. But does that keep you safe?
One could argue that password should be changed every day, or every time you log in, or once a month. The shorter the time window the less you are exposed?
But what if you change your password so often that you start reusing passwords, or you accidentally change it to previously compromised password? Now your account is more vulnerable.
Consider changing important accounts frequently — 90 days is probably the least annoying periodicity. (Do it immediately after you learn of a cyber security breach.) Every other accounts change at least yearly. Do what makes sense for you.
If the last time you changed your Gmail password was two presidents ago, it has probably been too long ago.
Before You Go
Join my mailing list to receive updates about my writing.
About the Author
Miguel is a Principal Security Engineer and is the author of the " Serverless Security " book. He has worked on multiple serverless projects as a developer and security engineer, contributed to open-source serverless projects, and worked on large military systems in various engineering roles.
Originally published on Medium.com