This post is part of a series. Practical email security guide » How to have good password hygiene
Truth be told, your grandmother’s strategy of writing down all her different passwords on a post-it note might be a better strategy than having one password you use everywhere. At least grandma had multiple passwords!
Password hygiene—the act of doing a little upkeep and keeping things neat and tidy—really only requires the use of a good password manager. Password management systems are built in to every major browser, but these systems are a form of lock-in that can be cumbersome to leave if you want to switch browsers or platforms later. For instance, having your passwords stored in iCloud does you no good if you switch to Android a few years from now.
Use a third-party password manager instead. You want one that ticks a few boxes:
- Is open-source and not proprietary, or at least publishes the bulk of their source code. The reason being: open-source software allows independent researchers to test against vulnerabilities and eliminates the “single point of failure” on their end should they be attacked.
- Syncs into the cloud. Almost all will have strong encryption and security standards in place. The encryption is what prevents everyone–even the password app developers–from seeing your login data.
- Is cross-platform with mobile apps, desktop apps, browser extensions for all major browsers, and even a website if possible. This way if you switch phone manufacturers, switch from a Windows to a Mac, decide you want to switch from Chrome to Safari, or that you’re just away at a library or hotel and using someone else’s computer, you can get at your passwords.
Some good examples include LastPass, 1Password, and BitWarden. Almost every major password manager app requires a monthly or annual subscription. But that’s a good thing because you need the developers to have a sustainable, well-funded business. This is critical data. Think of it like a bank for passwords. Would you trust your money with a bank that itself doesn’t make money to run itself?
Using different passwords for different email accounts
Password managers will suggest new passwords for logins you create. If you’ve never used one before, it’ll take a while to filter out old passwords and reset them over time. But like going to the gym every day, within a year or two you have measurable results.
However, in the short term you want all of your email accounts to have strong passwords right away, so change those first. Your email is the gateway to “I lost my password” reset emails. If a person can get into your email, they can search and find your bank, PayPal, website usernames, Amazon access, and more with a few clicks.
What is a strong password?
A strong password is any password that’s at least 16 characters long with numbers, symbols, and varying capitals. Like Z3R_a$U<sqv9H~Eh
Of course, you won’t remember that. But a good password manager will, and it’ll automatically fill in the details on sites you visit as you visit them. You’ll probably wonder what took you so long and how much time you wasted manually typing in the same password over and over when you get used to it.
Avoid forced password reset periods
If you work with a corporate IT department, it’s likely your workstation, email, or company login requires a forced password reset every 30 days.
Most companies most of the time should probably do away with these forced resets. Most users will instinctively use a short password since they can’t add it to a password manager if they have to use to even login to the computer. Plus, they have to type it in multiple times a day. And when they do reset, they’ll just add a “1” or “!” to the end for as long as they work there.
There are some places where a longer reset period makes sense. Healthcare and educational facilities may find a 90 day reset is more appropriate, which cuts the number of annual password changes from 12 to 4, but still mitigates issues that may arise from non-authorized staff seeing passwords or retired, terminated, and past employees from accessing systems.
Using two-factor authentication
IT departments and individuals that want to eliminate the password reset period entirely can do so by using two-factor authentication. This is sometimes confused with two-step verification or two-step authentication. Both are similar, but have distinct differences.
What’s the difference between two-factor authentication and two-step authentication?
Two-factor authentication (sometimes “multifactor authentication” or 2FA for short) requires two forms of input to authenticate. Two-step authentication is when a service sends you a text message or special link.
Two-factor is more secure and is like when you go the Motor Vehicles branch and they require two forms of authentication like a past ID, a passport, or a military ID.
Two-factor authentication is the best kind of protection and uses an app like Authy or Duo to generate a second PIN you enter after entering your username and password. Usually these pins expire after 60 seconds, so you always need your phone or the app nearby.
Two step-authentication is when a service sends you a text message or special link to click in an email to confirm your login. Two-step is less secure than two-factor. Because if your email is compromised, the email from Amazon sent with a one-time password is useless security.
(Why would it matter if someone got into your Amazon account? Because your credit card is stored there and they could be hundreds or thousands of dollars worth of gift cards or high-value items like MacBooks and have them shipped to their address without you knowing.)
Why use either of these two-factor systems? Because your username is often public knowledge—it’s highly visible in account names, email addresses, and so on. And your password, if lost or hijacked by someone, is useless. So having two-factor on special accounts like your bank, email, and anything that has access to a database of sensitive information is ideal because even if your username and password are compromised, someone would still need the phone in your pocket and have it unlocked.
Want more? Check out the rest of this email security series.
Does your team need some cybersecurity help?
VPC can conduct onsite, interactive, tabletop, and virtual cybersecurity training and audits that go beyond email security.
We’ve worked with the Midwest’s largest governments, enterprises, and healthcare providers to audit, protect, and train organizations to react and respond to malware, ransomware, cybersecurity, and more.