Between personal and work accounts, the number of credentials and passwords we have and must remember can seem overwhelming and inconvenient. Managing passwords well is necessary to protect both personal and government network information, particularly as remote work continues for many.
Because credential theft remains a primary target for cybercriminals, cybersecurity is everyone’s responsibility, at every level, in government.
Passwords must not only be strong; they should be paired with two-factor authentication enabled on every account. Below are the top four ways to strengthen your password today for maximum security.
1. Use complex passwords
The first way to make passwords more secure is to make them complex. Companies often require a password to be a certain length, contain uppercase and lowercase letters, numbers and special characters. A complex password has multiple character types (such as Xyz23!). That said, having a complex password does not automatically make it strong.
To be considered strong, the password also needs to be sufficiently long. Password complexity requirements are often set by companies and usually require a certain length depending on the type of account. For example, personal banking account password requirements will likely be stricter than a free Spotify account.
2. Use passphrases
While complex passwords are good, they are rendered useless if they are too hard to remember. What’s worse, the temptation to write down difficult-to-remember passwords on paper or store them in a computer document makes them even less secure.
A better option is to use a passphrase – a memorable string of words, including different characters and special characters – to increase the security of complex passwords. According to the FBI, which recommends passphrases over password complexity, passphrases should combine multiple words into a long string of at least 15 characters. Passphrases are harder to crack, even if they are simple words and don’t contain special characters, simply because the hacker requires more computational resources to crack them.
The XKCD graphic below illustrates the benefit of using a passphrase over a traditional password.
3. Don’t reuse passwords
Regardless of the complexity and length of your password, if that same password is used elsewhere, you are vulnerable to breaches. When hackers obtain a password list from a breached site, they immediately try those same passwords on other sites.
Avoid the temptation to use a company email address or passwords for your own personal accounts, and vice versa. Never use the same password for multiple accounts where protected and/or sensitive information is exchanged.
For added protection, if you have administrative access to a device or a network, always use two separate login accounts: one that you use for day-to-day activities that do not have administrative rights, and another account for performing administrative tasks.
Using a password manager that can randomly generate security question answers, passwords and usernames is a smart move. When using a password manager, remember the master password, always do backups, and store critical passwords in a secure, air-gapped location.
4. Always use two-factor authentication
Having two-factor authentication adds a critical level of protection to your accounts. According to this Tech Crunch article, two-factor authentication uses two factors of authentication and combines something you know, such as your username and password, with something you have or are, such as a phone or physical security key, or even a fingerprint.
This adds another step to the log-in process. After submitting your username and password, you will be directed to enter a code sent in a text message, a PIN, a security question answer or a biometric measure such as a fingerprint.
One highly effective two-factor authentication method is a physical security key – a secure USB stick that plugs into your computer. When you log into your account, you will be triggered to enter the cryptographically unique key into your computer. Even if someone steals your password, they won’t be able to access your computer without the key. Two popular types are the Google Titan key and YubiKey, both of which are supported by most major websites.
Perhaps the good news is that the FBI recommends passwords only be changed when you suspect your account has been compromised. Frequently changing passwords can lead to poor password hygiene. Changing “Winter2020” to “Spring2020,” for example, leaves the next password glaringly obvious.
For more information, visit the online security topics on the Federal Trade Commission’s site.
Meredith Trimble is a former municipal official and Town Council Acting Chair, who focused on strategic planning, annual budgeting and bonded infrastructure projects. Her government experience also includes posts in both federal and state-level executive branch agencies: Associate Editor of the U.S. Federal Election Commission’s FEC Record; and Director of Education for the Connecticut Office of State Ethics. In her current role as a Senior Content Specialist with Tyler Technologies, Inc., she writes content to help empower those who serve the public. Her current focus is to help facilitate data-enabled organizations as well as to create connections between governments and those they serve.