Last week, Google revealed that millions of user passwords had been stored in an unencrypted, unprotected plain-text format—for the past 14 years. The bug is exclusive to G Suite, formerly known as Google Apps: Google’s collection of cloud computing, productivity, and collaboration tools designed specifically for corporate users.
The password security issue wasn’t a huge disaster, however. The plain-text passwords weren’t stored on the Internet, instead living on Google’s own secure servers. The flaw existed only in Google’s G Suite password recovery mechanism, which allows enterprise administrators to manually reset login credentials. And the tech giant emphasized that there’s no evidence that the unhashed passwords were breached or compromised. But Google did change the way that G Suite admins handle protected information, sending out a list of impacted users and making sure they all reset their passwords.
Even though Google’s announcement stressed the fact that these passwords weren’t publicly shared, the news arrives at a particularly precarious time for online security. In March, Twitter recommended that all 330 million of its users change their passwords thanks to a data breach. Shortly thereafter, Facebook revealed that hundreds of millions of passwords were stored in a similarly unencrypted fashion. And Instagram was forced to admit that the problems at Facebook, its parent company, affected millions of users of the popular photo-sharing app, too.
So what can you do to make sure your passwords are actually protected?
1) Don’t assume that any old passwords are still secure today.
Many of the security issues outlined above affect older, less secure passwords. If you’re still using a variation of something as simple as “password123” as your preferred login, it’s time to make a change—especially if you use the same password to log in to multiple accounts.
2) Follow the latest NIST guidelines for password security.
At the end of 2018, the US Department of Commerce’s National Institute of Standards and Technology (NIST) released new Digital Identity Guidelines recommending a shift away from password complexity and toward user friendliness. The NIST guidelines now call passwords “Memorized Secrets” and recommend that users create long passphrases that are easy for them to remember instead of convoluted strings of nonsensical numbers and letters. The use of special characters—!, @, #, $, %, and the like—is still recommended by the guidelines, and they encourage online platforms and accounts to allow log-in credentials to stretch up to 64 characters to support the use of such long passphrases.
3) Enable two-factor authentication.
Two-factor authentication combines something you know (your standard password) with something you have (a unique code delivered via text message or email, a fingerprint scanner, or another type of application that requires verification to login along with your password). Consider this two-tiered login system another layer of protection that works to secure your accounts and your online information.
4) Work with a trusted IT provider to conduct a cybersecurity assessment.
Unsure about the levels of protection that surround your computers, servers, networks, and other IT infrastructure? A trusted IT provider like CMIT Solutions can initiate a cybersecurity assessment that’s scaled to your specific business needs. Our assessments take into consideration the size and complexity of your company and the regulatory requirements faced by certain industries. There is an art to right-sizing security assessments for small business and we understand the delicate balance. CMIT starts with a general questionnaire that then escalates into a comprehensive security diagnostic to identify any gaps in your security and implement policies and procedures to plug them.
5) Protect your online identity.
Cybersecurity threats come in many shapes and sizes: password breaches like the Google one described above, spam emails with infected attachments and illicit links, ransomware, malvertising, and more. At CMIT Solutions, we consider employee training to address and prevent such threats a critical first line of defense for your business’ online identity.
6) The next layer of security? Back up your data.
Automated data backups provide peace of mind by saving a second copy of important files in a remote location. Many people think that backing up data to an external drive on your desk or a USB drive you carry with you is sufficient, but data loss is far more common than most people think. All it takes is one natural disaster, one coffee spill, one inadvertent device loss, or one accidental click on a malicious link to compromise the information that is critical to your business success.
That’s why CMIT Solutions stays on top of cybersecurity news, addressing new issues and fresh threats every day. We take the protection of your data, your hardware, and your business seriously, so if you’re unsure about the security of your passwords or the state of your IT infrastructure, contact us today.