October is Cybersecurity Awareness Month: Here’s 4 Things You can do
For the past 19 years, October has been recognized as Cybersecurity Awareness Month in the United States. This year the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) have collaborated to create a campaign designed to provide information and resources to help educate the public. Their campaign theme, “See Yourself in Cyber,” reinforces the human element of Cybersecurity. With this campaign they have established four things you can do to increase your Cybersecurity posture. To support this campaign Dopkins & Company has released a weekly blog discussing each of these topics:
- Enable Multi-Factor Authentication
- Use Strong Passwords
- Recognize and Report Phishing
- Update Your Software
While reading these blogs keep the theme (See Yourself in Cyber) in mind. Each of these key action steps is something YOU can do to increase Cybersecurity at home, work, and school. While each blog will discuss the actions individuals should take, they will also touch on how businesses can help their employees succeed with each action.
You can view the campaign directly on CISA’s website at https://www.cisa.gov/cybersecurity-awareness-month.
Defining a strong password
In order to use strong passwords, it is vital to know what a strong password is. At a high level a strong password is easy for you to remember but difficult for someone else to guess. We will take a look at how to achieve each of these along with additional best practices.
While reading this blog keep the first blog in this series on Multi-Factor Authentication (MFA) in mind, it is still extremely important to enable MFA. Creating a strong password and enabling MFA complement each other, neither is a replacement for the other.
Difficult for someone else to guess
Password best practices of the past have resulted in people creating passwords that are easy to remember at the cost of also being easy for someone else to guess. An example of this bad practice would be using a child’s name and date of birth. Anybody who knows you, has access to public record, or has access to view your social media accounts (do you share publicly or accept strangers’ requests to connect?) can piece this information together and make educated guesses at your password. Sometimes the easily guessable password includes other combinations like a company name, “123456”, or even “password” itself. These common or easily guessable passwords must be avoided in order to create a password that is difficult for someone else to guess.
Passwords must also never be reused or shared. If you share a password, it gives another person full access to your account. Control of that account and the password is now out of your hands. Reusing passwords across multiple accounts can result in one compromised password granting access to several accounts. Every account should have a password that is not similar to any other. Adding a number, or changing just a couple characters, to the same password is not good enough to be truly unique.
Easy for you to remember
So, let’s look at how to create an easy to remember password that is better than P@ssword2. This can be accomplished using a passphrase, which is a short sentence of full words typed out.
The first method of creating a passphrase is using a popular song lyric, movie quote, or literary passage. One example is: LifeislikeaBoxofChocolates. This passphrase is 26 characters with a few random capital letters, and can easily have spaces or numbers added at a random spot to make it longer. If you are a Forrest Gump fan you will never forget it, and its length and variation of characters makes it difficult to guess.
Another method is to select random words to avoid using anything that has meaning. You may be able to achieve this by looking around your work environment for ideas. You could also use an online random word generator. This will create something like: NativeGarageDeleteMerit. While not as easy to remember as using the previous method, it is easier to remember four words than the complex passwords of the past that were not as long as they should have been. This passphrase is 22 characters and like the previous example can easily have spaces or numbers added at a random spot to make it longer. This passphrase’s length and randomness makes it difficult to guess.
Recent studies have found the average person has 100 or more (even up to 150+) online accounts with passwords.
One Exception.. Password Managers A password manager will securely store your account usernames and passwords. This can save you from creating and remembering 100+ unique passphrases. Password managers are an exception to the “easy for you to remember” rule because you can use the password manager to generate a very long (30+ character) random password for your accounts. Because it is stored in your password manager you do not need to remember it and it is much more difficult for someone else to guess. Password managers are made secure by signing in using a passphrase created following best practices outlined in this blog along with enabling Multi-Factor Authentication (MFA). Stored credentials are encrypted so only your strong password and MFA can access them. Password managers have the added benefits of allowing passwords to be copied/pasted into websites or even auto-filled using their secure browser extension. Password managers are also available across multiple devices and locations for ease of access to accounts.
It is important to point out the difference between using a password manager and other methods of storing passwords. These methods should not be used and should be replaced with a password manager:
- Saving passwords in a file on a PC – This is a high risk because if unauthorized access is granted to the PC containing the password file all of the stored accounts are now compromised. Unauthorized access could be a compromise from someone outside the organization or someone internally who has permissions they should not.
- Writing/printing passwords – Passwords stored on paper can only be accessed from one location and can be destroyed during a disaster. Transporting them with you increases the risk of being misplaced or stolen. It is also difficult to update the documented passwords when they change.
- Saving to your browser – Credentials saved in a browser can be stolen if the PC, or even just the browser, become compromised.
Barriers to Implementing
These steps to using strong passwords may seem fairly straightforward for an individual; but, how does an organization require all employees to follow password best practices? The first step is to create (or update) a password policy. If the requirements are not defined in a policy there is nothing dictating what employees should do and no authority to back it up. A policy alone is likely not enough. Providing a business class password manager and encouraging (or requiring) use will go a long way. Password requirements of all systems, internal and external, should be reviewed to make sure only secure passwords that match your policy can be created. Employees will need to be trained regularly on the most recent policy and best practice.
Check out our Cybersecurity Awareness Month 2022 page for more resources.
About the Author
Dopkins Assurance Services Group
Dopkins offers a full range of assurance services that can help improve your financial accuracy. From financial report preparation and audits of historical financial statements to preparation of an array of special attestation reports—we can help translate numbers into accurate management information so you can make knowledgeable decisions. For more information, contact Bart McGloin, CPA, CFE, CFF at email@example.com.