Employee Cybersecurity Training-Best Practices for Passwords.

School is now in session and today’s discussion is regarding best practices to manage your passwords and multi-factor authentication (MFA).  Protecting your passwords is particularly important. You must go beyond the old-school approach of keeping a written list of passwords or storing them in your phone. The old-school approach is dangerous and can leave you open to attack from hackers.     

Phishing Scams  

Our previous discussions have covered Phishing scams. As a review, you receive an email that pretends to be some service that you are using.  This could be an email from Microsoft, eBay, Netflix, or even your bank.  When you click on the link, it brings you to a page that looks exactly like the login page for that service. It is a fake website; however, you may not notice it is fake unless you examine the title bar and see that it is a wrong URL. There are many pages that look the same as a log-in page for services.  Once you enter your username and password on one of these face sites, it is comprised of hackers. Now that they have your password, the hackers understand that the same password is most likely used for other services.  This leaves other websites you frequent or other portals where that same password is being used exposed to hackers.   

Sharing Your Password Successfully  

Because hackers can sometimes access email accounts, you must be incredibly careful when sharing your password with others. The best practice for sharing your password with others is to use a password management tool. Once you have your passwords in that tool, you can share them successfully and securely with others. You simply send a link to the person you would like to share log-in information and the individual is then required to accept the link and authenticate themselves to access the information. This is much safer than sending passwords in an email.  

If you do not have access to a password management tool, be sure to use two different methods for sending the username and password. Send the username through email and then send the password to that same person through a text message.   At least that way they are in separate places. If a hacker were to get access to one, hopefully, they will not get access to other.  However, sharing passwords through email is not a practice we would recommend. Hackers can often purchase passwords in bulk on the dark web. Once your passwords have been exposed, the hackers build databases that are sold in bulk to other hackers.    

Complexity of Passwords 

As we have discussed, passwords can get stolen from Phishing or hacking into email accounts.  Many websites recommend a specific creation template for passwords that helps guard against a brute-force attack. A brute force attack is an exhaustive service that is a cryptographic hack that relies on guessing possible combinations of targeted passwords until the correct password is discovered. The longer the password, the more combinations that will need to be tested. What that means is that hackers use these tools that randomly generate passwords, and if you give the tool enough time and ability to log in to the service as you, it will figure out your password. Increasing the number of characters and putting in special characters effectively increases the amount of time it takes for the password generator to guess your password.    

Password Management Tools 

In our daily course of business and personal life, we use our devices all the time.  The proliferation of password management tools has been a fantastic lifesaver for many people. ArchIT recommends using a business-grade password management tool with a good reputation even for your personal use. A few of these are LastPass, Dashlane, or OneLogin.  There are many others. Here, we will use LastPass as an example, but if you are using any of the others I mentioned, they are also good.    

LastPass works can be on your phone or browser as an extension or on your computer as an app. When LastPass detects that you are logging in to a page of any website or portal, it automatically remembers the information. That is how you set it up.  You can also create folders and organize the information in various ways. LastPass uses facial recognition on your phone as well, so you can type.  This is a recent improvement to LastPass.  Before this upgrade, using LastPass on the phone was not very convenient because you had to go into the app itself and look up the password and copy and paste it into the app you were logging in to. Now, it integrates with just about everything and uses face recognition, which is quite amazing. The best thing about it is its simplicity.  With LastPass, there is one master password that you must remember that gives you access to all your passwords. The good news is that it is very secure, and it is exceedingly difficult to get your master password if you forget it. The bad news is it is exceedingly difficult to get your master password if you forget it, and you may find yourself locked out.  The system is so intuitive and well done. Your job is to install the app as a browser extension on all the browsers that you are using or the main browser you are using.  Once you do, it sort of takes over and does the work of remembering and entering passwords for you. It also generates highly secure passwords. You can tell how many digits you want or what sort of characters you want to include.  For instance, California DMV will have one password requirement and your bank with have a different password requirement. You can easily adjust it with just drag and drop the number of characters and the complexity you wish for it and then it generates a new password.    

Chrome or Safari and Apple have their own key management.  However, many times browsers get updated, and features get changed. If you use these systems, you are relying on either Google or Apple to make sure they do not change those features.  Also since these are consumer-grade products that are on every computer, more and more hackers are going to try to attack or intercept or figure out a way to get the password out of that.  Using a specialized set of tools is always better than using generic tools.    

For business, you want a centralized depository for all passwords.  This is vital because when an employee works in marketing and they are the only employee to have access to all the marketing accounts, websites, your other marketing tools, email, mail chimp, and they leave the company, it causes a lot of issues.  Using a tool like LastPass for Business where you can share passwords and have a password vault for all the business accounts, or Apple key management tool.   

LastPass also has a security challenge. It uses artificial intelligence to look at all your accounts that you store in their app, and they can tell you if your passwords are too weak and if you are meeting the best practice requirements. They will also let you know when to change your password to be more secure.    

Google Chrome’s key management programs will identify passwords that have shown up on the dark web. When you set a password, they will go in and check if that username and the password are out on the dark web and give you a warning. Those are especially important things as we move forward in the password complexity age.    

Multifactor Authentication (MFA)  

MFA is a very vital piece of security for both personal and business practices. Just like twelve-character passwords, everyone should have MFA as part of any service you sign up for.  MFA authenticates you in multiple ways. Your first way is something that you know, which is your username and password. And then the second way is something that you have –– in the industry, we call that a token, but it is either a piece of hardware (a small key fob) or in most cases, it is our phones because they are always with us. A phone belongs to an individual and that is how you can be authenticated as that individual.  

Users should rely on MFA for any website where you have your credit card information or purchases that can be made from your account.  You want to make sure that anywhere on the web where a credit card is stored, there is a second-factor authentication. Anytime someone tries to make a purchase or log in, you get a pop up on your phone saying –– is this you?  This allows you to be in control.  

One last thing you should be aware of is password lists. Password lists are basically the next level of authentication. There are a few technologies out there, but it is not yet mainstream. It can be done in a few different ways.  Password lists are exactly what it means––no more passwords. You log into a service without a password. How can this be done?  One of the companies that I have researched installs a small agent on your computer and they set a baseline for your activity for about a week. Their artificial intelligence is able with 99.9% certainty to identify you based on your activity on your computer. When you log into a service, it will basically identify you based on what you have been doing on your computer for a certain amount of time.  Another way is kind of close to MFA and maybe the path forward for the present time. This is the ability to log into websites using biometrics or face recognition on your phone. For instance, you have a bank app, and that bank app communicates to the backend database and then gives you a code on the phone that you can just go to a bank website on your computer and type in that code and it knows that it is you.  There are no passwords to manage, as It is just a code that comes in the app.    

If you have questions or need help please reach out to us. ArchIT specializes
in providing IT services for architecture, design, and engineering firms.