Password Best Practices from the Security Professionals

This article was originally posted to the Strongarm blog in 2017 and has been reposted here on my personal site. Many of the links and resources are broken, but the content is still valid.

Passwords Image

As we’ve explained before, attackers generally want one of two things when they attack you online: money or information. To get to either of those goals, they often want to steal your usernames and passwords, also known as credentials. Once an attacker has your credentials, they have an all-access pass. This is why you want to understand and use password best practices.

Why Attackers Target Credentials

Attackers want to steal credentials so that they can get money or information. They steal your username and password, with the goal of:

  • Using your email to impersonate you and trick your peers and colleagues into doing something the attacker benefits from (i.e. authorizing a wire transfer to the attacker’s bank)
  • Using your credentials to gain access to your business’ network remotely
  • Using your credentials to access and steal your company’s data

Obviously, you don’t want any of that to happen. So how can you make it as hard as possible for attackers to access your coveted credentials?

Password Best Practices

Here are six recommendations to keep your passwords safe and protected from attackers with bad intentions.

1. Use Strong Passwords

You’ve probably heard this advice before, but you might not know this helpful hack for creating strong passwords you can remember. Long phrases and sentences that are easy for you to remember, but hard for computers and attackers to guess, make great passwords, as this comic illustrates. For example, the passphrase “wherever leather frame biggest” is easy for you to remember, but challenging for a computer or adversary to guess, because it’s long and nonsensical. Conversely, the password “S3cretS@uc3” might look like a good, complex password, but it’s hard for you to remember and much easier for a computer to guess, since it’s short and uses obvious patterns to replace vowels with symbols. When it comes to password strength, the length of the password is always better than using complex characters.

2. Never Reuse Passwords

It can be tempting to use the same password across multiple services since that makes them easier to remember, but attackers are constantly targeting popular websites and services in order to gain access to user accounts and personal information. If an attacker gains access to your Facebook account, they shouldn’t be able to use those credentials to log in to your work email or personal banking site. Use a unique password for each account you have. And keep in mind that just changing the number at the end of the password or making other tiny tweaks does not equal a unique password.

3. Use a Password Manager

If you read recommendations one and two and thought, “Yeah, yeah, but how do I remember all those complex, unique passwords?”, here’s a tip. Use a password manager. LastPass and 1Password are two great options. LastPass is free for personal use and 1Password is very affordable. Both make using long, unique passphrases easy, but the benefits don’t stop there. You can sync passwords across your devices, audit your passwords for reuse, and set policies to ensure you are following the best practices we recommend. Additionally, when using a password manager, we recommend that you:

  • Use a good master password that you can remember! This password is extremely important because it allows access to all your credentials.
  • Set up two-factor authentication.
  • Configure the password manager to use long phrases.

4. Audit Your Accounts

So now you have an awesome password strategy, but what about those pre-existing accounts that might be using weak passwords or that have already been compromised in one of the many data breaches over the years? You can audit your accounts with Have I Been Pwned?, which allows you to search across data breaches to see if your email address has been compromised. This way, if any of your accounts have been compromised as part of breach, you’ll know and can change the password immediately.

5. Use Two-Factor

We will talk in depth about why it’s so important in the future, but always enable two-factor authentication for all accounts that support it. Popular services such as Gmail, Office365, Facebook, Twitter all have two-factor support. This is a great way to ensure that attackers can’t easily access your account, even if they somehow swipe your password. As an IT manager, requiring two-factor authentication will help prevent unauthorized access to the services your business depends on if your employee’s accounts are compromised.

6. Educate Your Employees

Businesses must remember that employees are the first line of defense against credential theft. Take the time to educate and train people to recognize phishing and attempts to steal their credentials. One easy way to do so? Share this article about managing your credentials like a security professional.

So there you have it. You don’t have to be a security professional to protect your usernames and passwords like one. Follow these six simple steps and you’ll be well on your way to preventing the next credential phishing attack.