Data Leaks – How They Impact Your Passwords

So we’ve all been told by IT that passwords need changing frequently, need to be more secure, need to be longer or more complex, need to be different for every platform we use, need to exclude personal information, and so on, or have at the very least seen or read about it. But have you ever stopped to think about why? As with any problem that requires solving, it is best to understand the reasoning behind the problem before tackling the solution. So here are a few examples of why IT keep bugging you about passwords.

Change Frequency

The ever-growing list of companies and organisations that are security breached and have their data leaked online is a security factor that you can’t control. You trust companies to protect your data, including details such as your email address and your password. But breaches happen. It’s not like you can wipe the data stolen and leaked from the face of the Internet (as the saying goes- once it’s on the Internet, it’s eternal). Companies like Linked In, Facebook, even your local councils are susceptible to hackers, leaving their databases exposed to the Internet. You can’t risk having the same email and password combo from previous years in use on any sites today, as this leaked information is available for little to no cost to hackers. Are you worried about your credentials? Check out www.haveibeenpwned.com and see when you were exposed.

Password Complexity

You can’t keep adding or incrementing numbers at the end of your password until the end of days, either password policies will catch on and demand more complex passwords, or you’ll run out of numbers. I could suggest you invent a password using words from memories or personal objects that, on their own, are meaningful, but when combined, look abstract to an outsider. Doing so would “beef up” your password complexity, but we don’t hours to spare these days inventing new passwords every other week. Try www.DinoPass.com and click on the “advanced” button. It’ll generate a complex enough password for most security policies. If not complicated enough, you can generate a more intricate password here.

Too Many Passwords

There’s no easy way around this; the best practice against data breach exposure and exploitation is to ensure each system you sign in to has a separate password. But for the sanity of IT professionals everywhere, stop writing passwords down. No text files or notepad files as plain text, no post-it notes, not even a scribble in the back of your super-secret little black diary you keep at the back of your desktop drawer (yes… that one… we know it’s in there). Understandably, having 100’s of passwords to keep track of is frustrating however they’re not worth having at all if you’re going to make them easy to discover. You wouldn’t put the keys to the Bank of England under the welcome mat, so don’t do the same with your company data!

We get it; passwords are becoming a pain the derriere, so what can we suggest to help you out here? The solution is simple, has been toted before many times at IT security webinars but needs reiterating because you all forget to give this a try: Password Managers!

There’s a fair few to chose from, and while we can’t decide for you, we can help break some of the choices down for you. The most significant influential factor of any software you consider using is cost. If it’s free, then it’ll likely be open source, and if it’s open-source, can you trust the platform to protect your data? We don’t think so. So Avoid! Big names that come under free solutions are Myki, LogMeOnce, BitWarden, PassHub, EnPass and KeePass, and we’d stay away from all of them.

The next consideration is whether you intend to use this for yourself only or if you need to deploy a solution that encompasses your entire business. If it’s the latter, Keeper is our recommendation. It allows defined “admin” users to control the whole platform, bundle websites and other platforms together under separate containers, then controls which users can access shared credentials. It also simplifies the leaver process, as Keeper identifies which passwords a user leaving the business had visibility of and suggests password changes with a few clicks. Other staff aren’t interrupted by this change as Keeper software inputs passwords for users.

If an enterprise-grade password management solution is too much for you, there are three leading vendors we’d suggest: RoboForm, LastPass and DashLane. These all offer simple to use, easy to collaborate with solutions that can be extended to additional users if you wish to provide your staff with a password management solution in a less controlled state, making them ideal solutions for SME’s. They also allow cross-platform synchronisation, so all the passwords you use when at your desk are at your fingertips when you’re stuck browsing on your phone. These providers have “free” versions, but they’re limited in functionality, typically with limits on the number of devices, users and passwords they’ll store.

A final mention goes out to Two Factor Authentication. Any opportunity to enable 2FA (also dubbed Multi-Factor Authentication (MFA)) is worth taking. We provide 2FA solutions for a variety of platforms via DUO. Google Authenticator is highly rated. In some instances, you’ll be forced to use authenticators created by the software vendor you’re using, such as Microsoft Authenticator (for the protection of Office 365). If you feel behind the times with 2FA, please call us on our IT Helpline at 0333 323 2667, fill out our contact form or email us at helpline@cfcuk.co.uk, and we’ll gladly provide you with some of our insights.