by Chloe Bowen Chief of Staff
Article filed in
Increase online security with a robust password policy
by Chloe Bowen Chief of Staff
At our recent virtual healthcare cybersecurity conference, Paubox SECURE @ Home, a number of our guest speakers mentioned the importance of utilizing strong, unique passwords. But what does that mean exactly?
Here are some high level takeaways from experts in the field.
The longer the better
Strong passwords are as important as ever, Kelvin Coleman, executive director at the National Cyber Security Alliance (NCSA), pointed out during his presentation. “Using a unique and robust password . . . [is] just a great way to make sure that you’re not becoming an attractive target for bad actors.”
On the other hand, if your password is 8-10 characters, “you change the profile of a brute attack from taking seconds to taking hours to potentially days. Therefore, [hackers will] move on,” explained Haskelson.
Coleman mentioned that hackers are interested in low risk, high reward opportunities. “Bad actors are just as lazy as they ever have been,” he pointed out. “So if you’re making it extraordinarily difficult for them to get into your account, they’re going to move on to the next person who has ‘password1’ as their password.”
Easy to remember, but hard to crack
Melissa Bendana, information security and risk management leader at Blue Shield of California, recommends using both uppercase and lowercase letters in a password, as well as adding spaces. You can even use a phrase that is easy for you to remember but difficult to guess.
When choosing a phrase, however, Haskelson stressed not choosing something that is too obvious. If hackers looked at someone’s Facebook page, for example, they would easily be able to find out children’s names, pets’ names, and other things that would be easy to guess. “So try to find something that is not so obvious, right? [Choose something] a little bit more discreet in the naming technology.”
Don’t repeat passwords
It is also vitally important not to repeat passwords. Jeremiah Grossman, CEO of BitDiscovery, touched on this. “When passwords are leaked on the Internet,” he explained, “everybody races to change their password on that one system. But what we want to do is have different passwords on each different system.”
Grossman also mentioned the importance of implementing this policy across an organization. “To the extent that we can enforce this, the better,” he believes.
A password policy must not be too difficult, or else employees won’t follow it.
Julie Haney, computer scientist at the National Institute of Standards and Technology (NIST), pointed out that some companies have “kind of unusable password policies with all this complexity and changing your password all the time.” But this type of onerous security only encourages people to find workarounds, “like writing their passwords on a sticky note, or keeping their passwords unencrypted on a file on their computer,” she said.
Haney believes the goal should be to make technology more user-friendly, so that “there’s not a lot of burden put on [employees].”
Coleman brought up password managers during his talk. “There’s some very good password managers out there that can help you deal with the plethora of passwords that you have to remember,” he noted.
However, Coleman reminded the audience about the importance of choosing “a nice, robust, alphanumeric password [to unlock] your password manager, because we get into that—[It’s] keys to the kingdom.”
Zero trust and two-factor authentication
Zero trust is a security strategy that assumes everyone is a threat until proven otherwise through various methods of verification.
Dave Ledoux, CIO of Nizhoni Health, recommends enforcing two-factor authentication universally. With 2FA “no password can be spoofed,” he explained. “You don’t necessarily need to start having 18 and 26 and 38 character passwords anymore.”
Grossman believes that not only should you have a unique, strong password for each system, but you should implement 2FA on top of it.
Coleman explained it this way: “If a password is to lock on a door, multi-factor authentication is that bolt, that extra lock, that gives you a little bit more protection.”
Securing network passwords is something that a lot of people don’t think about, Coleman said. It’s important to have a secure password for your Wi-Fi network and router as well as your online accounts. You also might consider having a separate network for guests with a different password.
“Sometimes we forget that connecting to our Wi-Fi can be a vulnerable point for us as well that bad actors can take advantage of,” he reminded the audience.
It’s surprising how many people never bother to change the password that came with their cable modems, Haskelson pointed out. He highly recommends, if nothing else, at least changing the password from the default. “Change it to anything, just not the administrative password that came with it.”
Bendana reminded the audience to also put passwords on wireless printers and to secure the parameters on any firewalls you have.
Experts in cybersecurity realize the importance of using strong passwords.
Haskelson pointed out that a robust password policy is a free way to significantly increase your online security. “Change your password, set up a guest network, restrict [access] on any computer—This is just basic. Let’s say call it Security 101.”
To watch full recordings of the presentations mentioned in this post, visit Paubox’s YouTube channel.