Question: How do I make my passwords secure?
Could something as little as your login credentials present a legitimate security risk to your business?
Weak passwords pose a huge security risk to a business. Just last April 2019, Forbes has written an in-depth article about Facebook’s password breach and, interestingly enough, the public's response was more of apathy rather than alarm.
To add insult to injury, Facebook has also admitted that millions of Instagram passwords were also compromised as well. In the midst of all that, this damage control article was released to soften the blow. See excerpt of the article below:
“Update on April 18, 2019 at 7AM PT: Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.”
But is that enough? Is it enough to trust Big Tech with our information? Is it enough to trust Big Tech and the measures they are taking to ensure our privacy? Is it enough to trust Big Tech to prevent our accounts from getting hacked?
No, it’s not. But the real question is, can you do something about it?
Definitely. You can always start with making your password stronger. But first, what happens when your accounts get hacked? Let ETech 7, a leading managed IT services provider in New York City, walk you through the ins and outs of password creation, management, and storage to keep your accounts safe.
What happens when your accounts get hacked?
Suddenly logged out of your account? Can't log back in? We all dread this. Companies/people who have sensitive information are always at risk of being targeted by ransomware. Ransomware is a type of malicious software that locks your files and holds them hostage unless you pay up. Ransom prices vary and, thanks to the anonymity that cryptocurrencies utilize, bitcoins are usually the preferred type of payment that these attackers demand.
Just a couple of months ago, ETech 7 helped a client recover their email accounts after all employees got hit by ransomware. The hackers asked for $500 per email account. And yes, you heard that right. Per. User.
If you have about 10 employees, do you have $5000 just lying around to give to these hackers? Chances are, you don't. $5000 is big money for just about ANY type of company.
What can you do to prevent an attack?
When it comes to IT security, the first thing we tell our clients is the importance of two-factor authentication (2FA). Two-factor authentication provides your password with another layer of security to prove that it's really you that's logging into your account. Generally, the first step we take with clients is to ensure that their personal and professional emails have 2FA. Why? Because once someone gets a hold of your main email's password, he/she can reset the passwords every single thing that's tied with it. Netflix? Compromised. Chase? Compromised. Capital One? Compromised. Credit Karma? Compromised.
Passwords are no joke. You should really put the time and effort to come up with strong passwords and ensure that you have layers upon layers of other security measures to protect them. Read on to find out more about how you could gauge the strength of your password, where to store your passwords, as well as password managers for your business.
How Strong is My Password?
There are a plethora of ways to come up with a strong password. May it be a password from personal memory that only you would know or one that is generated from an online password generator, it wouldn’t be classified as a strong password if you don’t mix in different types of punctuation, numerical, and special characters to make your password stronger.
Computerphile, a Youtube channel about all things computers/technology, has come up with a video about choosing a password. The video goes into a deep dive of choosing the right password for you that's safe, secure, and unlikely to be compromised. Watch the video below:
Say you want your password to come from personal memory - maybe the street you grew up in as a child? For example, let’s say the street you grew up in is named “Lake Street” - this will now be the base of your password. By base, we mean that this would be the word you think about when the screen asks what your password is.
Now, we would try and make “LakeStreet” stronger by adding in a mix of punctuation, special, and numerical characters. See samples below:
See the difference?
You just made your base password a lot stronger by adding special characters to make it more difficult for hackers to access your account.
While certainly strong, this approach isn’t perfect. A lot of people might know that you grew up in Lake Street and might try and access your accounts using that information. However, by adding in a mix of punctuation, special, and numerical characters, you are making it more and more difficult for hackers to breach your information.
Another way to ensure that you have a strong password is to use a random character/password generator. As an example, we used LastPass - a well-known password manager - to generate random passwords for us. See samples below:
LastPass’ password generator lets you generate a random password of up to 50 characters. However, best practice suggests that strong passwords are usually 12 characters long. The samples above are all 12 characters long, used simple letters, and mixed in a couple of uppercase and lowercase letters, numbers, as well as symbols.
If you think your password is too common, check out this article from Esquire that lists the 25 most used passwords in 2018. If you see your password there… it may be due for an update.
Now that you have a strong password, where do you store it? Is it safe to store passwords on your computer?
It could be - if you’re the only one using said computer. However, if there are a lot of people using your computer, your passwords might not be safe AT ALL. If by “storing on your computer” you mean allowing browsers to “remember passwords”, having a spreadsheet or word file with the filename “password”, or an email that has ALL of your credentials, then NO. Absolutely not. That. Is. Not. Safe.
We understand that you might want to keep everything in place and we also understand that that way must be convenient for you but hear us out… Convenience is nice and all but if it’s that easy to get all of your credentials, you shouldn’t be using any type of technology whatsoever.
Wow, ETech 7 - that’s TOO harsh! Tough love! The purpose of this blog post is to protect you by laying out tips and tricks to make your passwords more secure and suggest ways on where to store them.
If you’re someone that frequently forgets their passwords, aka me, you probably need a password manager.
What is a password manager?
An article from How-To Geek defines password managers as a place to store your login information (usernames and passwords) for all the websites you use. Password managers encrypt your passwords with a master password. There’s a catch however, your master password couldn’t be stored in your password manager - you have to memorize it.
In layman’s terms, password managers were made to manage a user’s personal details in an encrypted/secured manner.
A password manager could be a software, a mobile application, or a browser plug-in. It all entirely depends on your preference.
Could a simple and free password manager also be fit to serve my business’ needs?
Here at ETech 7, we always want to be on the safe side of things since we believe that an ounce of prevention is always better than a pound of cure. We recommend you use an enterprise password manager that will allow you to organize all of your credentials in a secure manner.
What are the best password managers for your business?
DISCLAIMER: This section of the article does not reflect the views of my employer but of my own.
Long ago, I was also like you. I found myself reading a lot of different articles about password managers because I was too tired of having to reset my password because, for the 10th time, I forgot my Netflix credentials after getting logged out for no apparent reason (but that’s a conversation for another time).
LastPass is a password manager that offers personal and business packages that lets you determine what you need for yourself and what you need for your business. LastPass has also been recognized by top organizations such as the New York Times, Mashable, the Huffington Post, NPR, CIO, PCMag.com among others. The reason why LastPass is the first password manager I listed is because it is the only one I have stuck with. I’ve tried countless other password managers but LastPass has been the best one for me. Let me borrow an excerpt from LastPass’ website:
“You're tired of setting, remembering (and forgetting) passwords. That's why we created LastPass, a convenient password manager designed around data privacy. With seamless background sync, offline access, and an app for almost every device — you always have access to your passwords when, and where you need them.”
That’s really all you need to know about it.
Pros: Free option, access across all of your devices, save and fill passwords for websites you frequently visit, free random password generator, secure notes, and multi-factor authentication
Cons: Mobile app could use a bit of work in the UX/UI department, for small businesses $4/$5 per user might be a little expensive, I have experienced a couple of crashes when using the browser extension/plug-in
Premium Price: $4 per user monthly for businesses of 50 employees or less | $6 per user monthly for business with more than 50 employees
Dashlane’s features can compete toe-to-toe with LastPass and 1Password but one thing that sets it apart is how flawless its design is. In addition, Dashlane offers a plethora of services in an easy to use dashboard that monitors all aspects such as password health as well as dark web monitoring in the event of identity theft.
Dashlane has also been recognized as an Editor's Choice app in the App Store as well as the Best App in the Google Play Store.
Pros: Easy to use, save and fill passwords for websites you frequently visit, includes VPN protection, Dark Web monitoring for compromised information, free random password generator, secure notes, and multi-factor authentication
Cons: Shared configuration could be a little confusing (from personal experience), the Dashlane mobile app sometimes logs me out for no reason, Dashlane’s Chrome extension could be a little buggy, packages might be a little pricey for businesses
Premium Price (for businesses): $4.00 per user monthly
Based on almost all of the websites that I have visited, each and every one of them use 1Password as their preferred personal and professional password manager. As they should!
1Password proves to be one of the most well-rounded password managers out there. It has all the standard services like password storage, save and fill passwords for websites you frequently visit, two-factor authentication (2FA), information vaults, among others. However, one thing that stands out from all of what 1Password offers is its Master Password + Secret Key feature.
Master Password + Secret Key = What is it?
According to 1Password’s website, the addition of Secret Key enables users to better secure their information by layering the authentication process. The Secret Key feature also plays a direct role in encrypting a users data and also plays a key role in strengthening your master password since your Secret Key would never be sent to 1Password - only YOU know what it is.
Pros: Save and fill passwords for websites you frequently visit, rarely glitches and logs me out - very reliable, GREAT customer service, advanced and innovative services keep your stuff up-to-date, free random password generator, secure notes, great customer service
Cons: UI/UX could be improved since the dashboard could be a little complex, pricey plans and packages, mobile could be a little laggy at times (based on personal experience)
Premium Price (for businesses): $3.99 per user monthly for teams | $7.99 per user monthly for businesses
LastPass, Dashlane, and 1Password are all great password managers. Now, it just boils down to what you and your business needs and how much you are willing to spend to secure your passwords.
Stronger password: ✓
Password manager: ✓
Now that you have a stronger password and a secure password manager, what’s next? Is that it? Are you safe now?
We’d like to say yes. But there’s one more thing that we should remind you of! Changing your passwords regularly.
You might be scratching your head… After all that, you now want us to repeat those processes again and again and again? Well… yes.
How often should you change your password?
ETech 7 recommends that the more sensitive your data is, the more frequent your password should change.
“There really is no ‘best practice’ when it comes to how frequent you should be changing your password,” says Emil Isanov, CEO, ETech 7. “For us at ETech 7, the more sensitive information you have the more frequent you should change it. Even our senior IT technicians would advise you to at least change it once a month if it involves sensitive financial information.”
By searching “how frequent should you change your password” you would read up on a lot of different websites telling you to change your password every 30, 60, or 90 days. And some articles would even scare you that if you haven’t changed your password for more than 90 days, you are more likely to get hacked. However, it really depends on what you and your company need.
Here at ETech 7, while we're all about strengthening your passwords, we put less emphasis on the frequency as to which you should change them. Why? Because we would rather you put layers and layers and layers of security measures in place to better protect you.
As a managed IT services provider, our focus is to handle everything IT-related so you don’t have to. Managed IT services providers exist to help your business cover your IT needs! Our services vary from server management, IT security, network security, server backup, and cloud management.
Bonus: What are the simplest things you can do to
protect your passwords?
If you want to know more about how a managed IT services provider could protect your business, ETech 7 offers a free network check for your business. Click HERE to find out more.