How many passwords do you use online and at home? Would it number in the hundreds? Less? More? How about one?
Passwords frustrate the general population with the varying requirements; including the length, special characters in some cases but not in others, numbers, upper and lower-case letters. The new additional option is to use multi-factor authentication where you can have applications send you a message to another device (e.g., via your mobile number), email address, or through another application or key fob altogether – otherwise known as soft and hard tokens respectively. For the protection of our customers, the Bank of Utah utilizes multi-factor authentication for online banking login and additionally for certain transactions.
Due to the complexity of passwords and the sheer volume of them, general insecure workarounds have been adopted. For example, there may be passwords written down in a notebook or sticky note, they may be put in a document on the computer, they may be made to be easy to remember passwords that are also simple for others to guess – to include: using common dictionary words, family/pet names, family significant dates or other numbers. Worst of all we may use the same password for multiple applications, otherwise known as password reuse.
Why is using the same password across applications the worst of the workarounds? Even though they all have relatively high risk, a few relative risks are:
- Written passwords may be compromised by physical theft, which depending on the security of the stored location is less likely to be stolen.
- Compromising passwords on a computer depend on the computer being accessed either by physical theft, loss, or by being hacked. You can make this harder by encrypting the hard-drive, and by implementing an access password for the computer and for the document.
- Easy to guess passwords still need to be cracked. If the attempts to enter the password are limited by an account lockout procedure, then this risk is minimized.
- If a password is stolen that is used elsewhere, those applications and the related information are also now at risk. The general populace has no control when a large company’s password database gets hacked – and statistically it’ll have more widespread effect as a company is a bigger target than a home computer.
A recent example of password reuse comes from a high-profile case. LinkedIn had their password files compromised in early 2015. They sent emails to those they thought were affected requesting that they change their LinkedIn passwords, but then recently came out saying that the extent of the damage was underestimated. More passwords were stolen than they first thought.
Mark Zuckerberg, the founder and CEO of Facebook had his Facebook account hacked supposedly by someone who had his prior LinkedIn account password, and used it to get into his Twitter, Instagram and Pinterest accounts. So Mr. Zuckerberg seems to have used the same password for multiple accounts and looks to have missed a few when he was resetting them all after the breach; which is a separate process to manage. In fairness, it may be that someone manages that for him.
The lesson is still valid though and no one is immune. The opportunity landscape can be limited though by proactive management and implementation of unique passwords for each application we use. In order to make a password random and complex enough, it then becomes difficult to remember all of them. However, the more complex your passwords are, the less likely they will be obtained. Here are a few suggestions:
- Combine upper and lower case letters.
- Use no less than eight characters. Passphrases are best.
- Include at least one number and one special character. More is better.
- Make them easy to remember, but difficult to guess. For example, make them create a pattern on the keyboard.
- Use a password management application. Make sure it’s reputable, secure and fits your requirements. They can store and often even randomly generate passwords for use. Just make the password to the application strong and easy to remember.
- Use pneumonic devices where you take a phrase from a favorite song, poem, book, quote, essay, etc and use the first letter of each word in the phrase; and sprinkle numbers and special characters throughout.
- Use multi-factor authentication wherever possible.
Password management is tricky. Making it easy to use for the myriad of applications that require it is no small task. There are mechanisms to make it easier though. Learning to use them may seem daunting, but putting in that effort up-front will pay dividends down the line. Do some digging and find what process works best for you – just don’t let it be one where you use the same password for multiple applications or make the various passwords too simple.
Speaking of multi-factor authentication…when you use it on any account, the only time you will be sent a verification code is when attempting to log into your account. This means that if you did not just try to log in and you suddenly receive a verification code through a text message or other multi-factor medium (e.g., email), it is because a scammer who already has your username and password is trying to hack into your account.
It is important to never provide your verification code to anyone. Only use it to input the code into your smartphone or computer when you log into a multi-factor authentication protected account. Also, never give out personal information, such as your Social Security number or credit card numbers in response to a text message (or email) because you cannot know for sure who is actually on the other end of the communication.
Robert Beckstead is the Information Technology Security Officer at Bank of Utah. He comes to the Bank with experience managing information and IT security programs at various federal agencies. In addition to multiple professional certifications, he has an MBA with an emphasis in Information Assurance from Idaho State University.