Passwords: Your first line of defense
Benton, Kentucky (July 12, 2023) - Cyberattacks against large and small organizations are rising rapidly. As our reliance on the internet and technology increases, so does the rate and severity of these attacks. Weak and easy-to-guess passwords are often to blame. While many things can be done to stop cybercrime against both businesses and individuals, the first and most effective step is to create strong, unique passwords.
Countless examples exist of data breaches that were due to poor passwords. The massive SolarWinds attack was in part due to a weak password. Microsoft, GoDaddy, New York City Law Department, Anthem, and Ticketmaster have all been victims of data breaches due to inadequate or stolen passwords.
Too many people assume they don't have to worry about making their passwords strong if they aren't system administrators or specifically in charge of sensitive information. Wrong. Gaining access from any user can be a starting point for a hacker. That’s why it’s important for everyone in an organization to create strong and unique passwords.
We understand that this process can be daunting, so below we share some tips for creating secure passwords.
1. Do not reuse passwords:
No matter what account type, it is essential never to reuse passwords. When passwords are leaked during a data breach, those passwords immediately get sold on the dark web. Once in the hands of a hacker, they will try to use them to sign in all over the web. If you are reusing a password, you increase your chances of being a victim.
2. Length does matter:
Guidance from the National Institute of Standards in Technology (NIST) now recommends that passwords should be at least 14 to 16 characters long. For every additional character, it adds difficulty for someone to guess. You can enter a potential password on the website www.howsecureismypassword.net and it will calculate how long it would take a cybercriminal to crack it. This helpful site will also show you how much more secure your password would be by adding just one additional character.
A long password can be hard to remember (how to manage passwords will be discussed in a future blog). However, NIST guidance also states that if you can choose a long, unique, complex password of at least 14 to 16 characters, you won't be required to change it at regular intervals unless it’s part of a data breach.
3. Passwords should not be common words/phrases:
Longer passwords are often called passphrases because they combine words instead of characters. While the length of passwords is important, it is also important to consider a password not found in the dictionary, or one that’s not a common phrase.
For example, if you’re required to have an 18-character password, "Houstonwehaveaproblem!" would appear strong at 21 characters, but since it is a famous quote from a movie, it would not meet that standard.
Ideally, your password should not be easily found in the dictionary, but it can still be OK if you combine words or structure them in a way that wouldn't make sense. For example, a strong password could be "bluehorsesfiveAugustfootball." Those are five separate words in random order, and a total length of more than 20 characters, yet it is still easy to remember.
Once you have implemented a strong and unique password, the next step will be to use two-factor authentication. Be sure to check back for more about that topic in a future blog.
Security experts routinely encourage businesses to implement strong password management, but few listen. History has taught us that most user passwords are typically weak and make easy attack points for hackers, since most users access computers outside a local network. A strong password policy is a free and quick way to make your company's security position stronger.
About the Author: Michael Ramage is the Connected Nation Strategic Broadband Advisor. Michael provides consultative services in support of CN’s federal BEAD and DEA grant related activities and deliverables. These include but are not limited to state and community action plan development, policy interpretation and/or creation, grants administration, community engagement as well as digital equity and inclusion (DEI) programming.