We’re celebrating “Password Month” throughout April 2019 here on the Pivot Point Security blog. This article covers secure password resetting, 2-factor authentication, and password storage. It is one of several articles that cover our Top Ten Tips for stronger password security. We’ve already covered tips #10 through #6 in prior posts. But we’re not done yet!
Tip #5: Ensure password resets are as secure as possible
In many cases, your data is only as secure as your password reset factors. If your password hint or security questions are easily guessable by looking at your Facebook page, so is your password.
Be sure to sign up for email and text notifications that make you aware of password reset attempts on your account, as well as logins from new devices or new locations, the addition of a new payee or address, large account charges, etc.
Also be sure to enable multiple authentication factors where possible, so if your email account is compromised you can still reset passwords using text messages, for instance.
Tip #4: Use two-factor authentication when risk warrants it
Speaking of multiple authentication factors, this is a great way to strengthen your security. Always use two-factor authentication (2FA) for sensitive accounts like financial accounts, and if possible your email.
2FA means that to authenticate you need two things: something you know (like your password) and something you have, like a cell card, key fob, your mobile device, your fingerprint or voice print, etc. A hacker or opportunistic thief may have one of those but is unlikely to have both.
If you care about your data even a little bit, don’t disable 2FA for a site by checking those “remember me” boxes on your favorite websites. Those disable 2FA and are an open door for hackers who get control of your device.
Tip #3: Store passwords securely
As you know from our previous password tips, keeping sensitive data and accounts secure means dealing with lots of long and/or complex passwords, each of which is unique across the dozens of devices and systems you access. You won’t be able to memorize them all, especially since they change periodically. So how to keep all those crazy-strong passwords organized?
Writing them in a notebook, spreadsheet file or pile of stickie notes is not safe, reliable, or practical. For one thing, what if you need a password while you’re at work, and your password notebook is at home? Or your passwords are in an Excel file on your PC and malware infiltrates it, leaving all your passwords in the hands of hackers?
If your company has an organizational standard for managing passwords, follow it. Otherwise, choose a purpose-built password manager application—preferably one that has both desktop/browser and “app”/mobile versions. There are many available at low/no cost, including popular favorites like LastPass, Dashlane, and 1Password. Just enter your strong master password for the password manager and you have secure access to all your passwords instantly.
Password managers have a number of huge security and usability advantages over any form of password management you’re likely to invent on your own:
- They make it very easy to create and maintain strong, unique passwords.
- They make it very easy to keep your passwords on-hand and synced up across all your different devices and browsers.
- They will automatically spot instances of password reuse to help you eliminate those.
- They can “rate” your passwords so you know if they’re weak or easily guessable.
- They support secure password sharing and 2FA out-of-the-box.
On the downside, if you lose track of the master password for your password manager, that can be trouble because the vendor can’t restore or reset it for you. Using a passphrase (see Tip #9) often helps create a strong-yet-memorable string for this purpose.
Understanding password good practices is key to staying safe in cyberspace—and staying safe beats getting fleeced by hackers every time. Stay tuned for our last batch of password tips, coming very soon to this very blog.
If Pivot Point Security can help your business in any way with information security questions or concerns, please contact us to speak with an expert right away.