It’s Time to Revisit Your Password Best Practices

Closeup of Password Box in Internet Browser

When a hacker tries to access one of your accounts, the first challenge they must overcome is the password. This is why industry professionals always encourage you to create them with security in mind. The latest guidelines issued by the National Institute of Standards and Technology, or NIST, are not quite conventional or traditional, but they do give valuable insights into how password best practices.

What is the NIST?

The NIST is the authority on all things password-creation, and they are no strangers to issuing various best practices. While these practices do shift over time, due to the unfortunate side-effect of threats adapting to security standards, their advice is trusted and should absolutely be considered by all. Please see below for the recent update on password best practices.

The New Guidelines

Many organizations and Federal agencies have adopted these guidelines. Here are the latest steps to take when building a secure password.

Length Over Complexity

Most security professionals have advocated for password complexity over the past several years, but the guidelines issued by NIST disagree. NIST suggests that the longer the password, the harder it is to decrypt, and they even go so far as to say that complex passwords with numbers, symbols, and upper and lower-case letters make passwords even less secure.

The reasoning for this is that the user might make passwords too complicated, leading them to forget them entirely, so when it comes time to replace the password, they will add a “1” or an exclamation point at the end. This makes them easier to predict should the original password be stolen. Users might also be tempted to use the same password for multiple accounts, which is a whole other issue that certainly does not aid in security.

No More Password Resets

Many organizations require their staff to periodically change their passwords, mostly every month or every few months. The idea here is to preemptively change passwords on the off chance that the old passwords have been compromised. Trying to use the same old password multiple times would then lock the hacker out of the account, as the password has since been changed. While this has been an accepted best practice for some time, NIST recommends that this practice be put to the wayside, as it is actually counterproductive to account security.

The reasoning behind this determination is that people will not be as careful with the password creation process if they are always making new ones. Plus, when people do change their passwords, they will use the same pattern to remember them. This means that passwords could potentially be compromised even if they have been changed, as a hacker could recognize the pattern and use it against the user.

Make Passwords Easy to Use

Some network administrators worry that the removal of certain quality-of-life features such as showing a password while the user types it or allowing for copy/paste will make the password more likely to be compromised. The truth is the opposite; ease of use does not compromise security, as people are more likely to stick to established password protocol if you make it easier for them to do so.

Don’t Give Out Password Hints

At the same time, you don’t want to make things too easy for your employees, either. One way that administrators help out employees who easily forget passwords is by providing password hints. The system itself is flawed, especially in today’s society of oversharing information across social media and the Internet in general. If Sally makes her password-based around the name of her dog, for example, the hacker might be able to find that information on her social media page, then can try variations of that name until the code is cracked. So, in the interest of network security, it’s better to just forego these hints. There are other ways to make your password system easier to deal with that don’t compromise security.

Limit Password Attempts

When you place a limit on password attempts for your business, what you are essentially doing is giving hackers a limited number of chances to get lucky. NIST suggests that most employees will fall into one of two categories in regard to password remembrance; either they will remember it, or they will keep it stored somewhere (hopefully in a password management system). Thus, if an employee is likely to do one or the other, a limit on password attempts will not necessarily impact them but will make all the difference against security threats.

Implement Multi-Factor Authentication

COMPANYNAME recommends that your business implement multi-factor authentication or two-factor authentication whenever possible. NIST recommends that users be able to demonstrate at least two of the following methods of authentication before they can access an account. They are the following:

  1. “Something you know” (like a password)
  2. “Something you have” (like a mobile device)
  3. “Something you are” (like a face or a fingerprint)

If two of the above are met, then there is sufficient evidence to suggest that the user is supposed to be accessing that account. Consider how much more difficult this makes things for a hacker. Even if they have a password, it is unlikely that they also have physical access to a mobile device, a face, or a fingerprint.

Make password security a priority for your organization now so that you don’t have to worry about data breaches later on down the road. AE Technology Group can help you set up a password manager that makes adhering to these best practices easier. To learn more, reach out to us at (516) 536-5006.

Take Charge of Security With Two-Factor Authentication

take charge of security with two factor authentication
2 Factor Authentication

As attacks by hackers become all too common, it is increasingly important to ensure that accounts and passwords are protected. Two-factor authentication (2FA) provides an extra level of protection to accounts and is an important security option that all companies should consider. If you have questions or would like to learn more, AE Technology Group would be happy to help.

What is Two-Factor Authentication?

Two-factor authentication provides a method for ensuring that accounts are safe, even if a password is hacked or stolen. In addition to use of a password, 2FA requires that the account holder provide an additional piece of data or information to confirm the account. While there are many options for the second authentication factor, three common choices are:

  • A piece of information unique to the user, such as a password or PIN;
  • A physical object owned by the user, such as a smartphone or token; or
  • A biometric indicator, most commonly fingerprints verified by a fingerprint reader.

When an account needs to be verified, the system will first require that the user enter their password and then request their second form of authentication. For example, after a password is entered, the system may generate a phone call to the user’s smartphone.

What Are the Benefits of 2FA?

The most obvious benefit to 2FA is security. In the password/smartphone example used above, a hacker would only gain access to the account if they knew the account password and had access to the associated smartphone. 2FA also allows for increased flexibility for workers. Without having to worry about the safety of their devices, they can work remotely and in more locations – allowing them to maximize their time and productivity.

How Do I Implement 2FA?

AE Technology Group is perfectly poised to help your business implement 2FA.

Contact us today to get help improving safety and security for your business and employees.

Why Is 2-Factor Authentication Important?

why is 2 factor authentication important
2-Factor Authentication

Hacking is becoming more common as major websites have had data leaks containing emails, passwords, and other sensitive information. This kind of hacking has made international headlines and brought the issue of cybersecurity and internet safety to the forefront. Any computer that gets infected and that contains your personal information can make the victim of identity theft. The most serious cases of hacking will include hackers getting far more than just your email and password. Oftentimes, such information and data security breaches will include hackers getting access to even more of your sensitive information such as your credit card or bank account numbers or even your address, phone number, and social security number.

Many people use passwords to keep the bad guys out of their information and out of their accounts, however, sadly, in 2018, that’s not always enough of a protective barrier to keep your sensitive information safe. Today’s most sophisticated hackers have learned how to use methods like phishing and pharming to test billions of password combinations till they find yours. Once they do that, all of the sensitive information contained inside is theirs for the taking!

Many internet users are even easier targets as they likely use the same password for multiple accounts on multiple websites because it makes their information easier to remember. If you do that, once a hacker gets access to one site, they have access to all of the sites with the same username and password combination, which can compromise more of your personal information that would otherwise be compromised if you used different combinations for each site.  

To combat this increasing issue of hackers getting into people’s information, many websites are taking to using what is called “2-factor authentication” which is essentially a system that double-checks a person’s identity to make sure they are the person who should be accessing the account before letting them in. This 2-factor authentication can be required every time a person logs in or if they are logging in from a new device, for example.

Many websites that you already use have this 2-factor authentication option. Sites like Facebook and Gmail are great examples of sites that give users this option. Users simply have to use their settings to request 2-factor authentication as an option. One example of 2-factor authentication is entering a code that you are texted or emailed to access your account if you forget a password or want to change a password. This is confirming you are who you claim you are, so you have already engaged in a 2-factor authentication process.

This 2-factor authentication is even more crucial when protecting personal information such as your banking information or personal email where further personal information may be attainable. It’s unfortunate that we live in a world where people try to take other people’s information but it is happening more and more often these days. Protecting your information should be your number one priority and 2-factor authentication is the latest way to do just that.

For more information about 2-factor authentication and how you can protect your personal information please feel free to contact us at the AE Technology Group for further assistance.

Computer Tip of the Day: Passphrase Alternative to Passwords

passphrase alternative to passwords

You hear it constantly. “Use strong passwords.” “Don’t reuse passwords.” “Don’t use common words, be sure to mix characters, etc.” To the average technology user, it’s more than enough to be so overwhelming that the rules can encourage bad security habits.

Traditional passwords, even strong ones, are easier to crack by way of brute force (computer-assisted repeat attempts to try different character combinations) than you might think. Combine this with the need for users to remember complex, unique passwords and often relying upon unsecure practices like writing account information down, and it’s no wonder so many accounts are compromised.

Enter the Passphrase

Rather than using gibberish or some arcane, and easily confused, character swapping setup, you can form a surprisingly secure and easily remembered passphrase by stringing together 3-4-word short sentences.

Example: Orange bananas are weird!

Think about how simple that phrase will be to remember. You can even have some fun with your passphrases, coming up with goofy and entertaining snippets that will give you a little chuckle every time you type them in.

By using spaces (Note: some services will not allow spaces in password fields) to separate the words, you create an incredibly resilient ‘password’ to secure your accounts. Some studies even suggest that it will take millennia (yes, millennia) for a brute force attack to eventually guess the passphrase and crack the account. Remember, a space is considered a special character. When you add in capitalization and normal sentence punctuation, plus passphrases that are 20+ characters long, you’ll meet the complexity requirements of most, if not all, services you need to create passwords for.

Lastly, many of your accounts will likely require you to change passwords every few months, at a minimum. Who hasn’t run into a situation where you struggle to come up with a new, unique password on the fly? Passphrases are easier by far to alter, substituting in new words, while not causing overt confusion when you next go to log in.

There are alternatives to creating passphrases to secure your accounts better than traditional passwords. Password managers come to mind. If you don’t trust, or understand, how to use a password manager, or just prefer the control that comes with making your own passwords, consider changing to the passphrase approach.

Contact us to discuss ways we can help you secure you, your business, and your family today.

Password Protection – Computer Tip of the Day

password protection computer tip of the day

Password Protection

One of the most important things to make sure you do when browsing the web or even just using your computer in general, is to make sure your passwords are as secure as possible in order to keep your data safe from hackers and keep your accounts secure from various kinds of attacks on your accounts and personal information.

What many people don’t seem to realize is that there are a number of different ways to get hacked that can be easily avoided by users, in theory. The most common methods currently used to try and break into your accounts are dictionary attacks, cracking security questions and social engineering. In addition, many people making hacking their accounts easier on hackers by setting extremely simple passwords which can be easily guessed or using the exact same password for multiple accounts.

Dictionary Attacks

Dictionary attacks are when a hacker figures out your password by trying a massive number of different options one after another until they manage to break into your account through repeated attempts. The primary method of avoiding having your account broken into like this is to is to avoid things like spelling words backward, common dictionary words and consecutive combinations of letters like qwerty, asdf and so on.

Breaking Security Questions

Quite a few people use common words or names like their first name, their pet’s name or their place of work as answers to their security questions and all of these things are extremely straightforward to figure out with a bit of research. You can easily make these questions much harder to figure out just by making the answers to your security questions something a lot harder to figure out as well as making them things that a potential hacker couldn’t find just by browsing your Facebook page.

Social Engineering

This is a fancy term for elaborate lies and it is an alternative to standard hacking. Social Engineering is where a hacker attempts to manipulate you into revealing certain pieces of confidential information like their email password or social security number.

Reusing Passwords

Using the same password on multiple occasions is generally not the best idea as it does make hacking you much easier. It also exposes multiple accounts to being hacked simultaneously as breaking the password on one account will allow a hacker access to every single account that uses that password.

For more tips and hints on how to protect your accounts from hackers, contact us today!