Passwords and Password Managers & If You Connect It, Protect It
Welcome to the first week of Cybersecurity Awareness Month! Each week we will discuss two primary topics. One of those topics will be the CAM 2020 “official” weekly topic and the other will be localized for the Berry community. This week, the official topic is “If You Connect It, Protect It”, and the local topic concerns passwords and password managers.
If You Connect It, Protect It
Once we connect a device to the Internet, via a wireless network or cellular data connection, or other method, it is exposed and vulnerable. That’s a terrible way to look at it, but there are stories every day of new vulnerabilities in software and hardware that we use all the time. In 2019 there were over 22,000 vulnerabilities identified, with over 12,000 of those reported and assigned a Common Vulnerabilities and Exposure (CVE) identifier, which is used to identify and promulgate information about the vulnerability.
That 22,000 number is across hundreds of companies and products, but you know the names of some of the most affected companies. They include Microsoft, Adobe, Apple, and yes, even Google. It’s a safe bet that whatever device you connect, it will already have, or will have in the future, vulnerabilities. What to do?
When reputable companies find or are told about vulnerabilities, they create and release updates, unless the software or hardware is no longer supported. We see evidence of this all the time…Windows wants to reboot to install updates, your phone tells you it needs to reboot to install updates. Don’t ignore these warnings, especially when first connecting a device to the network. At the same time, become familiar with what these warnings look like to avoid being fooled by fake update messages in the future.
All of this to say that the most important rule of properly securing connected devices is to keep your devices updated. The first thing to do after you connect something new to the Internet is update it. On average, newly connected devices are attacked within 5 minutes and are targeted by exploits specific to the device within 24 hours. That’s not much time to go out and get the latest update for the device. Do it quickly!
Passwords and Password Managers
We talk about passwords a lot, for good reason. With all of their inherent flaws, passwords are the de facto way we authenticate to all of our accounts. The average person now has 27 discrete accounts, while people in information technology fields or younger people may have two or three times that many. This means the average person should have at least 27 different passwords, but humans take shortcuts, even when it is dangerous to do so.
One particularly dangerous shortcut people take is to reuse passwords for multiple accounts. Aside from the need to keep them secret, this is the most important rule in properly dealing with passwords – do NOT reuse them. Make sure passwords are unique across all accounts.
Good passwords are also long, complex, and not based on easily located data, like birthdays, pet’s names, high school mascots or other public record information.
Truthfully, twelve to fifteen characters, minimum.
Have a mix of upper and lower case letters, numbers, symbols and even spaces, if an account allows it.
Based on what?
There’s several good ways to do this. If the password must be memorable, try imagining a picture of a favorite place, a scene from a book, movie or TV show, or other vivid image that you won’t forget, or be prone to alter. Pick four or five words that describe that image, string them together, capitalize a word, or all of them, and throw in a number. For example, a memorable scene might include a cowboy trying to stay on a bucking bull in a rodeo. Words to pick from this scene could include cowboy, bull, horns, bucking and a number could be 8 (as in, the cowboy has to stay on the bull 8 seconds to get a score).
The resulting password could be “Cowboy-Bull-Horns-Bucking-8”.
What makes this a good password?
- It is long – 27 characters
- It is complex – upper and lower case letters, a number, and symbols
What weakens this password?
- It is based on words which are all in the dictionary
The length and complexity wildly outweigh the weakness of being based on dictionary words. This would be a great password, but read on for why it is not.
Our awesome example password is no longer a great password because it has been exposed. It has been used as an example and therefore should NOT be used as a password. No length or complexity will ever outweigh the disadvantage of an exposed password. Keep your passwords secret and never share or reuse them.
If you prefer not to create 27+ word pictures for your accounts, your passwords, of course, don’t need to be memorable if they will be stored in a password manager and possibly generated by a password manager. They can be as long, complex, and random as you wish, as you will never have to type them in, or even know them.
Password managers like LastPass, 1Password, BitWarden, and even iCloud Keychain for you Apple-only folks, allow you to use long, complex, and unique passwords for EVERY account you have. You only have to remember one, good, strong password to lock away the rest of your passwords. Visit the sites for the managers above or run a search in your browser for “password manager” and see how many results you get.
There are so many options and in your search results you’ll also find sites that will compare some of the available managers, providing recommendations and showing how they stack up against each other. Some have unique features or are better suited for families. Some may not support all of your devices, so be sure to check that your chosen phone, tablet, or operating system is supported. Be sure to pick a recent review, as vendors continuously attempt to improve their products, pricing and supported platforms. Find one you like, try multiple ones out if you need to. Many have trial periods, others don’t cost anything to use, but may have severe limitations. You are almost guaranteed to find one that matches your needs, wants, and budget.
Be sure to follow Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit) for clues. Other, potentially more important information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check the InfoSec News And Alerts Site for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events like training will be posted.