Building a Secure P@$$w0rd

ITConsultingPhoto_PCnet

It seems we can’t go five minutes without some major brand announcing they’ve had a data breach and all of your information is floating around an ominous (but real) entity known as the dark web. Even if your information isn’t acquired as a result of a massive data breach, you can certainly think of at least one time when a friend, family member, or professional colleague sent out a mass SOS to alert their contacts that their email had been hacked.

The bad news is, everyone who is connected to the internet is at-risk. There are some safeguards that can be put in place, such as two-step verification (if your email provider offers this), secret image or word confirmations, identity-specific questions, and so forth that can and do offer protection from identity thieves. If you do nothing else, be sure to assign your accounts with a complex password. In 2018, we should be well beyond leaving off numerals or special characters, and for the love of Pete, your password should never, ever be “password”. Please.

So where do you start? Remember, not only does your password have to be secure, but you need to be able to recall.

First—one of the best ways (as an employer) to prevent data breaches is not necessarily to require frequent password changes, as associates will often recycle a variation of a previously used password, rendering the practice more or less meaningless. And it’s no wonder why employees would do this—with the level of complexity that most passwords demand, this is kind of like asking each employee to instantly memorize a new phone number every 30 to 90 days. The better way to prevent breaches is to monitor the activity on the account. Did Susie Q really try to login into her company email at three in the morning? Ask her. If yes, you’re good. If no, it might be time for a password change.

Second—be technical over complex. According to the NCSC (National Cyber Security Centre), the long, complicated passwords frankensteined together with multiple character types are somewhat counterintuitive because people, when it comes down to it, are predictable. Such as replacing the letter O with a zero. These strategies are predictable and place a lot of burden on the user with minimal benefit to the overall security. Worse, the people you’re trying to keep out are well aware of your security workarounds. They will then use a combination of frequently used words and character substitutions to undo your gloriously long password.

So what can employers do?

Lock it up. If a user fails to enter the correct password after a certain number of attempts (no more than ten), then lock the account.

Take away certain words—particularly if they’re frequently used. Forbes has a list of frequently used passwords as of December 2017, which includes everything from “letmein” to “monkey”, “starwars”, and, yes, our old frenemy “password” (and its accomplice, “123456”).