Occurring annually on the first Thursday in May, World Password Day is an effort to promote better password habits.
Passwords and Multi-Factor Authentication (MFA) are Critical
According to IBM, the average cost of a data breach in the United States (US) in 2021 was over $9 million, the highest in the world. Infiltration can easily start with a weak password or hacked credentials.
A SolarWinds hack enabled cyber criminals to hide malware in legitimate software updates to conduct massive supply chain attacks. During a US governmentprobe, top executives from SolarWinds stated that an intern had created and leaked the password “SolarWinds123” on the public Internet. At a US Senate Committee Hearing regarding the Colonial Pipeline ransomware attack, the CEO stated that a complex password was being used, but MFA had not been implemented. As you know, Multi-Factor Authentication (MFA) uses a combination of at least two different factors for identity verification prior to allowing access – for example, RSA SecurID or Google Authentication.
As people increasingly rely on digital identities, estimates are that the average person accesses almost 200 services or devices with passwords or other credentials. Odds are good that some of your account logins and passwords are among the billions circulating on the dark web, the Internet sector where anonymity tools are used to hide network addresses. Visit HaveIBeenPwned to search across multiple data breaches to determine if your email address or phone number has been compromised in a data breach.
Password Length is More Important than Complexity
A passphrase is a sequence of words and is easier to remember than a complex password consisting of characters and symbols. Create unique passphrases by combining unrelated words in uncommon patterns. Be aware that cybercriminals take advantage of current events, themes, and popular culture – for example, sports teams, award nominees, political and social slogans - knowing that people will gravitate towards these topics when creating passwords. Free Password Strength Testing Tools are available on the Internet and can provide a fun way to teach children how to create secure passwords. Estimates of time to crack are shown in the examples below:
Phoenixarizona – 24 Seconds
Atlantabraves – 2 Minutes
Intactinsurance – 36 Minutes
Saveourplanet – 15 Hours
Intactinsurance123 – 4 Days
Phoenixbravesinsuranceplanet – 11 Years
Mushroomstractorstranscendladder – Centuries
Oatmealindustrialgenerationoranges – Centuries
Adding a digit and/or special character, which is typically required, further strengthens a passphrase.
Security Best Practices
· Combine unrelated words in uncommon patterns to create unique passphrases. Do not use personal information.
· Create different passwords for each device/account including work and personal accounts. When a company is compromised, their passwords are exposed thus exposing your other accounts.
· Never re-use passwords – especially across your personal accounts.
· Do not share passwords.
· Always change default passwords.
· Immediately change passwords if there is a breach or suspected breach.
· Be vigilant about password storage. If you store them in a file, make sure it is encrypted and backed up – preferably on another device to protect against loss and malware infections. If you write them down, securely store them.
· If possible, do not use your email address as your login id.
· Use a very strong password on your email account because if a hacker gains access, they can use the “forgot login” function to obtain access to your account then proceed to change the passwords for all accounts associated with it. A strong password is at least 15 characters and typically contains multiple characters sets (numbers, upper and lower-case letters, and/or special characters).
· Do not allow the browser to remember passwords. This option is designed to save passwords for your convenience not your security.
· Password managers generate and remember different complex, passwords for each of your accounts. Always use a very strong master password that you can remember on a password manager. There are numerous password managers available. Some of them are free, and there are many reviews on the Internet. Please note that Intact Specialty Solutions, Enterprise Support, and IT cannot assist with password manager issues. They are neither endorsed nor standardized though we do “encourage” their use over “writing” passwords on sticky notes placed on monitors or keyboards or in keeping passwords in standard Excel or Word documents.
· Select security questions only you can answer or provide fictitious answers - for example, Name of Your High School - do not provide the real name of the school. Use something else and log that information in your password manager.
Use Multi-Factor Authentication (MFA) Whenever Available
· The extra layer of security provided by MFA is an important deterrent to cyber criminals. As a reminder, Intact’s security policy requires that you request and use MFA with all third-party vendors if available. It’s a good idea to consistently adopt this strategy to protect personal accounts too.