Skip to main content

Hey... What's your password real quick??


Hold it right there!

You've likely heard it before, but here it is again... never give anyone your password for anything, to anyone, for any reason.  Here, I'll discuss password hygiene and other security measures.

But my IT person said they need it!

No, they don't.  If it comes down to it, they should have the ability to reset it to something they know.  In a properly managed environment, this will leave an audit trail.  Otherwise, they can have you enter it directly.  In a remote support session, there are tools available to properly handle authentication without disclosing your password.  If your IT staff is constantly asking for personal passwords, I know a guy that can help.  Never, under any circumstances, disclose your password over the phone to a caller who's requesting it.  No story, no matter how legit sounding, should prompt you to disclose authentication information.

A visual representation of someone calling and requesting your password.

Password Hygiene

So, what makes a good password?  At a minimum, a good password is one that you remember (without writing down!) and meets the password requirements.

Password Structure

Research says that longer passwords are more secure than shorter complex passwords.  Without getting to math-y, longer passwords contain a higher degree of entropy and are harder to guess by automated means.  They're also harder to guess by social engineering efforts or by people that know you.

Instead, consider using passphrases.  A passphrase is a string of words (like a sentence) that is easily memorable and not easily guessable by man or machine.

For instance:
  • 10 Character Random Password:  k&#9FG%V
    • Nice and complex
    • Instantly forgotten
    • High likelihood of ending up on a sticky note (very bad)
    • Guessable by machine in 8 hours (via howsecureismypassword.net)
  • 26 Character Passphrase: I like oatmeal on Mondays!
    • Not overly complex
    • Very memorable for the creator
    • No need to write down
    • Guessable by machine in 100 nonillion years (yes, that's a real number unit- 10^30)

Password Re-Use

So, you have the same (or similar) password for most logins?  "Sweet!" says the hackers, ransomware scum, and other bad actors.  It won't take long before you're fully pwned.

Best practice is to never use the same password twice.  Often times when big data breaches happen, your password is released into the wild, for sale to anyone wanting to buy.  If that password is unique to that resource, you don't have to go running around changing all the others.

Password Managers

So... now that you're on your way to creating unique passphrases for every resource, how do you keep them straight?  A password manager!

A password manager is an app that allows you to keep track of all your passwords.  Once you authenticate to the password manager, you can access all of your stored passwords.  

There are a multitude of password managers out there.  Some are local desktop apps. Some have mobile apps that can sync with the desktop.  Some are cloud based and available anywhere.  If you are super security conscious, you might choose a password manager with no cloud or sync ability.  For added convenience, choose a cloud-based manager from a highly reputable company.  Here are a few of the more popular password managers:
  • LastPass
    • Free and paid plans
    • 2-factor authentication
    • Selective sharing with multiple users/families
    • Cloud based, access from anywhere, any device
  • 1Password
    • Paid
    • Cloud based, access from anywhere, any device
    • 2-factor authentication
    • Lots of apps/platforms.
  • KeePass
    • Free, Open Source
    • Offline- local file based
  • DashLane
    • Free and paid plans
    • Selective sharing with multiple users/families
    • Cloud based, access from anywhere, any device
  • Your antivirus/security software
    • Many of the most popular antivirus vendors (Trend Micro, Norton, McAfee, etc.) include a password manager bundled with their security software.  Look for the option when you install.
This is not an exhaustive list and each have a ton of features not listed here.  See which one suits you best.

Password Age

In the old days, the standard advice was to force frequent password changes.  Keep the passwords fresh and keep them guessing!  Some "highly secure" business environments force a password change as often as every 30 days.

Well, security research indicates this actually leads to a weakening of security overall.  This is due mostly to not using memorable passphrases and the way humans tend to behave.  

Take a look again at the password structure section above.  If your password is like the first example, it probably makes sense to change it regularly.  However, if it takes a machine 100 nonillion years to guess, you're probably good to get at least a year out of it.

Frequent password changes also get users to employ tactics like serialization. This is simply changing the number at the end of your same password:  HappyPass1!  HappyPass2!, etc.  Once they're onto you, they might well gain access at HappyPass7!  Changing passwords too often also increases the chances of the password being written down, which is not desirable.

MFA (Multi-Factor Authentication) aka: 2FA (Two Factor Authentication)

If you're given a choice, always enable MFA/2FA.  This uses a second means of verification by using an Authenticator App (Google Authenticator, Microsoft Authenticator, etc.) or by sending an email or text message with a one-time code.  That way, even if someone has access to your password, they still need access to your phone or email inbox to continue.  Beware of codes that appear when you're not trying to log in, and never share your MFA code with anyone, ever.  Adding MFA/2FA to your accounts will radically increase the security and is highly recommended.

TL;DR:

Create and use passphrases, never give your password/passphrase to anyone, never use the same password twice, and employ the use of a secure password manager.  Enable MFA/2FA when you can.  If you're in an admin position, don't force password changes too often.

Comments

Post a Comment

Thanks for your input!

Popular posts from this blog

Welcome to The Egg Basket!

Welcome to The Egg Basket.  Here you'll find a mix of tech tips, fixes, and suggestions, as well as information about life in the digital age at large.  This will also serve as my own personal knowledgebase for issues I've come across.   Subjects may include but are not limited to Windows Server, Group Policy, Active Directory, Exchange Server, Exchange Migrations, Azure, Microsoft 365, VMware, Cisco ASA,  Windows 10, Windows 11, Android, Data Protection, Veeam, and Data Security. I hope you'll find it useful.
Post a Comment
Read more

Denied by Default

I recently installed a fancy new firewall for a client.  Out of the box, the web filtering policies are blocking the installation of Office 365 apps from Microsoft. Curious, yes.  The category responsible for blocking is Risky Downloads .  Installing Office Apps? Risky, indeed. I had to add a Web Protection Exception with the following entries: ^([A-Za-z0-9.-]*\.)?microsoft\.com/ ^([A-Za-z0-9.-]*\.)?windowsupdate\.com/ ^([A-Za-z0-9.-]*\.)?officecdn.microsoft.com.edgesuite.net/ ^([A-Za-z0-9.-]*\.)?officecdn.microsoft\.com/ ^([A-Za-z0-9.-]*\.)?windows\.com/ What a wonky syntax.  Can you guess what the firewall vendor is?
Post a Comment
Read more

Responding to Negative Reviews

Responding to Negative Reviews Sooner or later, it's bound to happen.  Someone visits your business and somehow they leave... less than impressed.  So much so, that they go public and leave a negative review.  Whatever the reason, there are appropriate ways to respond.  Keep in mind- when you're responding to that one review, your audience is not just the unhappy client; but also the potential thousands and thousands of folks that come across your reviews when they're looking for a product or service like yours.  Therefore, your review should not only address the issue at hand, but also let prospective clients know you genuinely care about their experience.  Here are some tips to help you craft the perfect response.  These are general tips but are applicable to most any industry; so, feel free to substitute customer/patient/visitor/reader/etc. where you see "client" below. Avoid:   Responding from emotion Reading something negative someone has to ...
Post a Comment
Read more