Password Security and Hygiene
- Lauren Keller
- Steve Kass
- Kyle Timmerman (Deactivated)
Good Passwords Are Hard To Find
The best passwords are easy to remember, hard to break. This can be a problem; if a password is too difficult to remember – meaning it meets complexity requirements and is long enough to withstand attempts to crack it – it will likely wind up on a note in your desk drawer or taped to your monitor.
How Do I Choose A Good Password?
Arguably, the best advice comes from someone that understands how passwords are cracked; explained here. Come up with a passphrase; once you have something you'll remember, make another that is similar and check how strong the similar password is (never put your password anywhere except when using or saving it to a password manager): this one works through your browser so you won't be uploading your sensitive information anywhere, but it is still a good idea to test one that is different from your real password. If the similar password is as strong as you want it to be, use the one it mimicked, and remember to change it on occasion (it's not as bad as it sounds).
Compromised Accounts And Passwords
We hear about high-profile breaches; if you are affected by one of these, the parties responsible for keeping your information safe will eventually contact you and let you know what you can do about it.
But it has been reported that nearly a Billion compromised email accounts are published online. If you wonder whether yours is among them, head to ';--have i been pwned? and enter an email address. If you find yours, change your password for every account that uses that email address or password. You can also check whether one of your passwords has been compromised and sign up for notifications in the event of a future breach or 'sensitive' data dump exposes your information.
Why It Matters
The average person has about 25 online accounts and most people recycle their passwords. If you are among them, a single breach could affect all accounts using a common email address/username or password. It doesn't matter how strong a password happens to be; if it's already online you can never use it safely.
What To Do
Our brains can only hold so much. In this survey, 72% of the 263 participants had difficulty remembering their passwords. The result, as we already know, is we reuse and write down passwords. There are techniques for remembering passwords, but we can expect to need even more passwords in the coming years.
REMC1 is always looking at security; you've probably heard us mention 2-step verification (aka 2-factor authentication) and password managers.
Password Managers
Reputable password managers are available for your phone as well as your computer. Bitwarden is free and promises to always be free.
LastPass offers a way to verify password strength, however recent changes allow you to use it for free only on either mobile devices or desktop machines, not both.
2-Step Verification (2-factor / multi-factor authentication)
This feature provides an additional layer of security in case your password is compromised. REMC1 highly recommends that staff, especially administrative and administrative assistant staff, utilize this feature for their Google Account. Learn more about this at the Google Account Help Section on Setting up 2-Step Verification, our wiki page, or viewing our video tutorial.
Setting up 2-factor authentication with Yubikeys
Learn more about setting up 2-factor authentication with Yubikeys by visiting the Yubikeys wiki page.
Questions?
REMC staff is happy to answer any questions you have on potential spoofing, viruses, malware, and security.