Passwords are one of the first critical barriers between a person, a threat actor and a successful cyberattack. One of the most common mistakes that people make is reusing the same ID/email address and password across multiple sites and devices. Password reuse is exacerbated by the increasing volume and success rates threat actors are reaping with advanced credential phishing campaigns that use fake websites resembling the login page of a legitimate online service to steal usernames and passwords.
We recommend consumers use different passwords, especially on critical financial and data-driven accounts. Be sure to turn on multi-factor authentication (MFA) if available for as many accounts as possible. If MFA is not an option for the account, use a password manager. A password manager creates randomized passwords that are safely stored, encrypted, and accessible across all personal devices and reduces the burden of trying to remember complicated login credentials across multiple websites. If you use a passphrase as part of your password, make sure you never use common words or phrases, names or dates associated with you or direct family members. It’s also best to change all passwords twice a year and change business passwords every three months.
Since 90% of cyberattacks require human interaction to be successful, it remains important for businesses to implement a people-centric approach to security. Ensure that both your remote and in-office employees receive training and education on basic cybersecurity best practices, including how to identify a credential phishing attempt and how to securely manage passwords.”
Additional Password Management & Creation Tips
1. Use multi-factor authentication (MFA) for as many accounts as possible. The basic concept is to use two forms of ‘evidence’ that validate an identity before access is granted, increasing account protection. For example, when you sign into your account, you will receive an alert to your phone requesting confirmation in order to log in. This approach frustrates the automated systems threat actors use to guess passwords or when plugging in stolen passwords.
2. Use a secure password management application that can recall multiple passwords and automatically inputs them when needed. Using a password management application removes the need to remember and juggle multiple passwords, which makes users more inclined to use more secure and longer passwords.
3. When it comes to password creation, avoid common words, phrases, names, and dates associated with you or direct family members. Threat actors can easily cross reference any data captured on you to arrive at the correct combination to break into your accounts. You should also change personal passwords twice a year and avoid reusing passwords across accounts. For business passwords, we recommend every 3 months and putting an automated system policy in place that places a deadline on refreshing passwords. That policy can determine passwords requirements and prevent recent passwords from being used.