Cybersecurity Tips | Password Hygiene
TRANSCRIPT:
Hi, my name is Dave Hatter and I'm a cybersecurity consultant at IntrustIT. I'm excited to be here on behalf of my friends from HCM today to talk to you about password hygiene, an important and timely cybersecurity topic that’ll help you, your family, and your organization be more secure.
Password hygiene gets into, “what does it mean to have a strong, unique password?”
When you talk to nerds like me, what you'll usually hear us say, “Well, you can't use the same password for multiple accounts. You need a strong, unique password for each account.” What does that really mean? Okay. In a nutshell, strong means a password that's not easily guessable. It's not something I could look up and find on about you from social media or maybe a public record search, like your wife's name, your dog's name, your kid's name, something like that. It's not something that would be a common word in an English dictionary that a cracking program could easily find. And it's not something that would be on the bad password list.
Every year, you may have seen the organizations that put out lists they'll evaluate password and data breaches to determine what are the most common passwords that people use. And each year, they'll review billions of passwords that have been leaked, and they typically put out a list of the top 25 passwords. It ends up being a lot of the same kinds of things. People use 123456, 12345ABC, that kind of thing, because as our digital lives and our physical lives become more intertwined, we have to have more passwords.
And I get that it's a pain to try to have a. strong, unique password for each account, but it's extremely critical when you have a password reuse situation, you're using the same password across multiple accounts, you're really making it easy for the bad guys to be able to break into perhaps one of your accounts and then leverage that too many accounts.
For example, if you're using the same password for your bank and your insurance company and Facebook, that's a huge problem. If you're using the same password for Facebook and your work accounts, that's a big problem. Again, what we want to do is have a strong, unique password.
There's a series of tips on the screen. I'm going to hit these real quick with a little bit of explanation for each one. Okay. And hopefully you can come away from this with a checklist of things you can do to make sure that you are applying good password hygiene to your password.
Strong password: eight or more characters, ideally you want to have letters, symbols, and numbers.
The longer the password is the stronger it is. The more permutations, the more difficult it will be to guess, or crack. I know that's painful. You might have 20, 30, 50, a hundred passwords, hard to say, right. And to come up with something like that for each one is going to be problematic. I fully understand that.
So that said, the next best thing to do is rather than use some kind of complex password that's a random series of letters and numbers is to use a passphrase. Okay. For example, you might say, what is a phrase that will be easy for me to remember, but difficult for someone to guess, or to crack? As I said before, a longer is always better.
For example, if you said, okay, I like pistachio ice cream or I love pistachio ice cream. If no one else can easily guess that about - you don't talk about pistachio ice cream on facebook or tik tok or something, right? If no one can guess that about you, then a phrase like I love pistachio ice cream with substitutions, like 1 for the letter I, 0 for the letter O, 3 for the letter E, then you can create a passphrase that's relatively easy for you to remember, but it would be extremely difficult for someone to guess, or for someone to hack. And just to crack that, to have a computer try to guess that would take a very long time simply because of the sheer number of permutations. So: strong, unique password is good, strong, unique passphrase is even better.
The other thing you can do then is use a password manager. Password manager is a software tool that will allow you to create and manage strong passwords. There are many excellent password manager software applications out there. I listed a few here, Keeper, LastPass, Dashlane, 1Password. Those are very well-known very, well-respected, very secure password manager applications. With a password manager you can simply create one strong master password. A strong passphrase. Like I love pistachio ice cream would make an excellent master password, and then your passwords are encrypted before they're ever sent to the password manager servers. It will be very secure for each site that you visit, you can generate a very very strong, unique password. You won't have to remember it. You can typically use these password managers on your mobile devices on your PC or desktop-type computer and it just simplifies your life because each time you need a new password, you can have the password manager application generate a very strong password that you will not need to remember. That's really the ultimate solution for this. Again, some of the better ones are LastPass, Keeper, DashLane. I would also recommend that before you use any password manager, if you don't have a nerdy friend like me, you can ask about it. Visit a site like ZDnet, Or Cnet, or PC magazine where they have experts and editors who regularly review this type of software and make recommendations. And you'll find LastPass, Keeper, Dashlane, and 1Password as password managers that frequently make their top five lists across all those magazines and then a few last tips.
If you want to see if your credentials have potentially been breached, you can use have I been powned website, you can simply go in there type in an email address or a phone number and see if any data has been breached around your accounts. And in many cases, it will tell you if passwords have been breached.
NIST, The National Institute Of Standards and Technology, put out new guidance. Another thing nerds like me have said for years is you should regularly change your passwords. The National Institute Of Standards and Technology recently said, you really shouldn't change your password on a regular basis. As long as you're following this other guidance, you have strong, unique passwords, and there's no evidence that your password has been breached,
there's really no need to change it on a regular basis. If you find evidence that your password has been breached or you go somewhere, like, HaveIbeenpowned.com and you find that your credentials, your username or password, show up somewhere in a breach, that would be high time for you to definitely change any credentials that show up in that breach. Again, a password manager will make it very simple to change your password. You can go into any account, let's say Facebook or your bank, and you can simply say generate new password, sync all that up, and it'll make it very very easy for you to create and manage strong passwords.
I hope this helps. I really can not recommend strongly enough that you take this advice to heart and that you have a strong, unique password for every account. And I definitely recommend that you take a hard look at password managers. I personally use LastPass. We recommend last pass at Intrust to our clients, and we use it internally. It's a good product, but there are several others.
With that, thank you very much for your attention. I hope this helps. And if you have further questions, you can easily find me online, on Twitter, or LinkedIn, and I'll be happy to help if I can. Thank you.