Passwords serve as the most important layer of security protecting our digital identities, regulating access to our financial accounts, our social media platforms, our email inboxes, and our online purchases. And every May, World Password Day highlights the importance of better password habits.
But no matter how much publicity surrounds major password hacks, many of us still use the same simple credentials for multiple logins. A recent survey found that millennials in North America are particularly guilty, duplicating passwords on as many as 50 accounts. A recent scan of the dark web collected two billion passwords being traded and sold. And a majority of them contained sports organizations, songs, and pet names—all information that’s easily discovered on the Internet.
Why are weak passwords a big deal? Because cybercriminals continue to exploit them to gain access to users’ accounts. In 2019, Twitter encouraged all of its more than 300 million members to change their passwords thanks to a data breach. Facebook and Google then revealed that hundreds of millions of passwords were stored in an unencrypted, text-only fashion. Instagram admitted that the problems at Facebook, its parent company, affected millions of users of the immensely popular photo-sharing app, too. And in 2020, password breaches continue to make news, most recently when the 25,000 login credentials belonging to the World Health Organization and National Institutes of Health were compromised.
So how can you protect yourself and your online identity?
1) Strengthen old passwords now.
If you’re still using a version of something as basic as “password123” as your preferred login, it’s time to change—even if the explosion of digital platforms means you’re keeping track of more passwords than you know what to do with and you don’t think you have time to create unique ones for each account. Passwords are critical, though, serving as the keys to our digital life. And you wouldn’t hand the keys to your house or your car over to strangers just because you didn’t think they were necessary, would you?
2) Use NIST recommendations to boost password security.
Two years ago, the US Department of Commerce’s National Institute of Standards and Technology (NIST) released new Digital Identity Guidelines recommending a move away from credential complexity and toward user friendliness. The NIST guidelines now call passwords “Memorized Secrets” and recommend that users create long passphrases (at least 15 characters) that are easy for them to remember instead of convoluted strings of nonsensical numbers and letters. The use of special characters—!, @, #, $, %, and the like—is still recommended by the guidelines. Consider coming up with a “core” password or passphrase that’s then bookended with distinctive characters applicable to the platform you’re using.
3) Turn multi-factor authentication (MFA) on now.
Multi-factor authentication combines something you know (your standard password) with something you have (a unique code delivered via text message or email, a fingerprint scanner, or another type of application that requires verification to login along with your password). This two-tiered login system adds an important layer of protection to your information, actively working to keep your accounts safe from cybercriminals testing out vulnerability. If you’ve ever received an unexpected text message from Google or Microsoft with a code for password recovery, that means a bad actor was probably trying to log in to your account—and couldn’t because they didn’t get the MFA code.
4) Check saved passwords for any compromises.
If you use products like Google’s password manager, you can run a test to see if any of your passwords have been compromised in major breaches like the ones mentioned above. After logging in, check the status of all passwords and look for any weak, reused, or affected ones that could stand to be upgraded. Also be careful of using basic Internet browser plugins that save your passwords for convenience—instead, consider using a password management tool that requires a master password (and, most likely, a multi-factor authentication code) for all logins.
5) Run a cybersecurity assessment with a trusted IT provider.
A deeper security check like this can inspect all the layers of protection that surround your computers, servers, networks, mobile devices, and other IT systems. At CMIT Solutions, we customize our cybersecurity assessments to the specific size of your business and its most pressing needs. A general questionnaire examines the complexity of your technology infrastructure and the regulatory requirements you might face in your industry. Then, weak points can be identified and new policies can be suggested to fix any vulnerabilities.
6) Learn how to identify password-stealing scams.
Education and training is critical to help your employees spot cybersecurity threats that come in many shapes and sizes: phishing emails with infected attachments and illicit links, ransomware, malvertising, and more. Often, the first objective of these is to see if any weak passwords are waiting to be cracked, which can then lead to more significant intrusions down the line.
7) Take the next step and back up your data.
Worried a password breach could affect your business? Regular, redundant data backups provide peace of mind by saving a second copy of important files in a remote location. Many people think that backing up data to an external hard drive or a USB jump drive is sufficient, but data loss is far more common than most people think. All it takes is one natural disaster, one coffee spill, one inadvertent device loss, or one stolen password to compromise the information that is critical to your business success.
Want to know more about how strong passwords can reinforce your overall cybersecurity strategy? Concerned about the state of your passwords but can’t find an IT provider you trust to protect them? CMIT Solutions is here to help. We worry about IT so you don’t have to, enabling your business to survive and thrive in today’s complicated digital world. Contact us today for more information.