Security Step 2: Strengthen Your Passwords

James Sparrow
James Sparrow
May 19, 2016

Your network, PC, email, and many other applications have one critical element in common: they are only as secure as the password you created for them. And security researchers have consistently found (and data dumps from breaches have documented) that a majority of people reuse the same password for many, if not most, applications. A single insecure website that exposes your password in a data breach could be all an attacker needs to gain access to many accounts critical to your practice and/or your personal life.

How can you protect yourself? Start with a trusted password manager application, such as 1Password or Keychain on Mac OS. A password manager provides a secure way to store and find all your passwords, and only requires you to remember a master passphrase to gain access. Basic password managers work with a single computer, encrypting passwords on your hard drive; more sophisticated versions allow you to securely share your passwords between multiple computers and devices including mobile phones and tablets.

When you first set up your password manager, you will need to choose a strong but memorable passphrase. A passphrase is basically a stronger, more complicated password.

Strong passphrases have the following characteristics:

  • Contain both upper and lowercase letters
  • Have digits and punctuation symbols as well as letters
  • Contain at least 12 or more letters, numbers, or symbols (the longer, the better)
  • Not a word in any language, slang, dialect, or jargon
  • Not based on any personal information, such as names of family or pets, or important dates

As you create new accounts for sites you visit or applications you use, add a new entry in your password manager. Name the entry after the site, include your username, and use the password manager to generate a password. Most will let you choose the length and complexity of the password to meet any rules imposed by the site, such as allowed special characters. Some accounts may require you to provide answers to security questions to reset a forgotten password.

Unfortunately, most sites ask the exact same questions and may not adequately protect the answers. If the account requires you to answer security questions, use the password manager to generate your responses as well. Remember to include the security question in the password entry (for example “First pet’s name: 3TFhJzbNdnYN1SMXW7q4”).

Another step you can take to protect your critical systems is to enable multi-factor authentication (also known as MFA or two-factor authentication). MFA is available on many sites, and protects you by requiring both your password and a code to access your account. The access code is typically texted to you or provided by an app on your phone, such as Google Authenticator, and changes with each use. Without access to both your phone and your password, an attacker is prevented from gaining access to your account. In short, it’s very important to remember that your accounts are only as strong as the passwords you created for them. A trusted password manager is a great way to organize, secure, and diversify your passwords. Lastly, in cases where even stronger security is required for your systems, enabling multi-factor authentication may just be your saving grace. After spending some time improving your firm’s passwords it will be time for you to take a deeper look at another potential weak security area in your firm, the Wi-Fi network. In Security Step 3 we will provide many essential tips and tricks to fortify your Wi-Fi network security.