Some practical advice to improve your general tech security
Our world of small business operations is increasingly at risk for cyber attacks of various types, with small businesses accounting for at least half of all cybersecurity breaches. This is because smaller businesses are attractive targets: while they generally have some money readily available, they lack the resources to set up safeguards that are considered table-stakes for larger corporations. Basically, they hold some valuables in an unlocked house with no security system.
Given the risk, we have taken a proactive stance to protect ourselves against such attacks, and employee training (i.e., the newsletter, webinars, in-person training, etc.) is a significant component of this program.
While different from our usual pieces, we thought the content from our newsletter series would be of value to our broader Weekly Thoughts readership and have included a summary of our work on one topic (passwords) below. In other segments, we have discussed topics such as the importance of multi-factor authentication, and how to protect against phishing attacks. If you are interested in this type of thing, feel free to sign up directly for our ChenTech newsletter, which we recently made public.
Your Password Sucks. Here’s Why It Matters.
While we’d like to tell you passwords are not important, the reality is that they are a necessary evil and are not going anywhere any time soon. This is because malicious users have sophisticated tools that attempt to decode your password – on a website, your local computer, anywhere – using a wide array of techniques, and the “stronger” your password, the harder it is for people to break into our accounts.
Here’s why: Imagine you are a hacker, trying to figure out a password which you know has 10 characters that can be any combination of uppercase letters (26), lowercase letters (26) and special characters (32). That means you have roughly 84 possible guesses for each letter and in order to go through every combination of every letter, we’d need to go through 84^10, or 17,490,122,876,598,090,000, guesses. Which seems like a lot. And it is. Using current hardware and typical password storage techniques, it’d take somewhere in the neighborhood of several hundred years to go through all those combinations. As a result, a “strong” password is one that is generally safe from malicious attacks within a reasonable amount of time (typically decades or centuries is considered pretty safe.)
Unfortunately, passwords’ fatal flaw is that they rely on our memory for retention and convenience. If you’re like us and can’t remember the drive to work let alone a random string of 10 letters, this poses a problem since it’s easier to remember “chenmark1” than “%$ZV^HJYeq6g“. As a result, many people use well known letter combinations – a single word, patterns on the keyboard, etc – to serve as their password.
Even worse is that many people use the same words and letter combinations as other people for their passwords, often unknowingly (see here for lists of the most commonly used passwords.) When you use this type of password (i.e., “password”, “123456”, “abc123”) it reduces the cracking time for hackers from centuries to seconds.
Ok, I Get It. What Should I Do?
Here are some rules of thumb when considering a password:
- Try incorporating uppercase, lowercase, numbers and special characters into the password. When you incorporate more possibilities per-character in your password, it becomes much, much more difficult to crack.
- The more characters, the better! This often comes as a compromise between typing out long passwords and an effectively lengthy password. But we strongly recommend staying above 8-10 characters.
- Use a passphrase instead of a single password. Stringing together words into an easy to remember phrase is an easy way to achieve a long, fairly secure password. As you can see above, the more potential characters that have to be searched, the better. So the passwords “66lookoutBelow!!” or “4Purplemonkey$$dishwasher1” are significantly more secure than “qwerty” or my personal favorite, “password1”
- Use abbreviations. Passphrases still trump a shorter password because of their length, but if you cannot commit to typing out an entire phrase when you need to log in somewhere, abbreviations are a decent alternative. A common method of compromising passwords relies on a dictionary to search for words. Abbreviations are more likely to be overlooked. “IwtBot135&(“ can be a good password in lieu of typing out the entire phrase, “ItwastheBestoftimes135&(“.
- Don’t reuse the same password for different sites! You can’t control how secure different sites are. If one gets breached and a password of yours is compromised, it is common practice for malicious users to then attempt the same login on different sites, creating a cascade of compromises and a much bigger headache!
So, basically, more gibberish = more awesome password.
The crème-de-la-crème of passwords basically appear to be gibberish, a seemingly random string of characters that would simply be impossible to remember. In the Information Security business, this is called a high entropy password, which is a fancy way of describing the randomness of a password. The higher the entropy, the more apparent randomness and the harder they are to crack.
How am I supposed to remember these fancy passwords?
I get it, but I can barely remember what I had for breakfast. That’s why chenmark123 is my go to. Can you help a girl out?
Never fear! Enter, the Password Manager. There are low/no cost programs out there called Password Managers which fall into a rare category of software that both improves your security and makes things easier for you. Miracles do exist! Password Managers serve as a central repository for all the passwords you use on a day-to-day basis. But, unlike the shared Excel file you have on a server or those sticky notes on your desk, these are fully encrypted password vaults available anywhere from your computer (and even your phone!).
You may have heard of these programs before: LastPass, 1Password, KeePass, Dashlane are some of the more popular ones. We’ll let you in on a secret: they are all basically the same thing.
Most of these password managers have an application that runs on your computer and an add-on for your web browser. You create an account with a password (the only one you have to remember). Then you can create new complicated strong passwords without fear. You go through all the sites you use – where the password maybe isn’t as secure as they should be — and change them to these new complex passwords.
The password manager automatically saves them for you when you change them on the site. Then, whenever you go back to the site, the password manager fills them in for you, so you don’t even need to know what password you’re using.
There are more features these handy tools bring to the table (secure password sharing, etc), but this is basic functionality. In this way, all the websites and accounts you use have unique, random, secure passwords that you don’t have to remember at all. Plus, you get the added convenience of a program that will fill in your logins for you when you go to different websites.
So What Happens If My Password Manager Gets Hacked?
A common concern is the eggs-in-one-basket question. It has happened — in fact it happened to LastPass a couple times over the years. However, with the quality of encryption used to secure the password vaults, as long as you used a strong master password, it wouldn’t matter. It would still take a really long time (on the order of hundreds of years) for an attacker to decrypt your passwords. Plenty of time to change your master password and change your passwords on the accounts you use, long before anyone ever got access to them.
Given the two most common passwords of 2017 were ‘123456’ and ‘password’, it is likely a password manager will help you tidy up your digital life. Give one a shot and see how it works for you. Until next time, happy computing!