Password best practices

Back to Blog
04May2017

Password best practices

Some people say passwords are dead. I don’t know if I 100% agree with that, since in actual fact and practice, we still rely on them heavily to secure access to our personal information online. The idea behind these “passwords are dead” sentiments is that a single factor of authentication is no longer “enough” on it’s own. Partially because there are so many hacks and credential leaks, and partially because people tend to keep very bad password practices (like simple passwords or passwords that are used on multiple sites with the same identity/email address).

Therefore, the argument goes, you need to be thinking about adding other protections such as 2FA (Two-Factor Authentication) wherever possible. Rather than passwords only, you should be introducing multiple forms of authentication:

  • something you are (e.g. biometrics)
  • something you have (e.g. mobile device or hardware key)
  • something you know (e.g. your traditional passphrase, or a security question)

So here’s the thing: Regardless of whether you’ve enabled 2FA, proper password hygiene is still very important. And if you are exposed in a confirmed security breach, such as the LinkedIn or Yahoo ones in the last year or two, you STILL need to go and change your passwords. And probably when this happens, you have to go and do this on more than just those websites, if you are like many people, and tend to re-use the same passwords in multiple locations.

Start eliminating your risk factors

Without further ado, here are the simple password hygiene rules / best practices that you need to be following:

  1. Pick complex passwords (11-16 characters, non-dictionary words, non-alphanumeric, etc.)

  2. Use different passwords everywhere (use a password manager to help)

  3. Change your passwords at least every few months (e.g. quarterly)

  4. If you are caught in a breach, change passwords ASAP

  5. Still enable 2FA as an extra layer of defense

There you go, following those 5 simple rules will place you in the safest 5% of users on the Internet. This is a completely made up statistic, and I have no idea if it’s accurate, but for every one of these things that you’re not doing, you are allowing yourself to sit in a much higher risk bracket. Don’t be the sucker in the room. Start eliminating that risk by following those simple rules.

How to Implement this Today

I get it, this is totally an inconvenience. But you know what else is inconvenient? Having your identity stolen. Having your bank accounts accessed, your email hacked or your personal information or business exposed. But there is good news–it doesn’t have to be a huge project or take a long time (okay, it will still take some of your time, but stick with me–it’s not that hard).

Personally, I use LastPass. This and other programs like it (e.g. 1Password, KeePass and more) can help you track your passwords, and centrally store them (so they can be automatically filled out for you when you visit websites, etc.). They also help generate unique passwords for each site using a built-in password generator (random characters). The key here is that you don’t have to actually know the passwords, you just need to ensure they are randomized, and different for different sites & providers.

These services have free and paid versions, and I can say from experience, the pay versions are usually worth it (use multiple devices, access to more features, etc.). LastPass even has a feature called “Security Challenge” that analyzes your passwords for weakness, duplicates, etc. and compares how you line up to others.

Drawbacks

Credential managers like these can be a bit controversial, because it means all your passwords live in a single place, and if that one place is compromised, attackers have access to a whole treasure trove of your stuff. Well, that is true I suppose, but without a tool like this, it can be very difficult to achieve the same level of security, since most of us now have dozens of passwords we need to remember and maintain.

Another drawback is user experience. On the PC or Mac, tools like LastPass or even just the key-chain built into many OS’s and web browsers provide a simple and streamlined user experience. But the problem is, it doesn’t always translate into other platforms or devices, such as mobile devices. On my iPhone for example, I sometimes find myself having to leave whatever app I’m signing into (like a banking app), switch over to the LastPass app, find the credentials I need, copy the password into my clipboard, and then switch back to the banking app to paste them into the password field.  In a few rare cases, the paste function isn’t even available, so I have to “show” the password in LastPass, then flip back and forth a few times to fill out the values correctly. Not exactly awesome, but I recognize this inconvenience is necessary to achieve greater security.

Mitigating your risk

If the LastPass database ever were hacked & leaked, I would of course have a fair amount of work ahead of me, to get busy changing all my passwords. Some other ways I might mitigate my risk/exposure on this platform is to ensure 2FA is setup on my LastPass account, as well as other accounts, and to tie it to an email account which is not stored in the credential manager itself, or used in other websites & services–remembering just two or three complex passwords is still better than remembering 50+.

Some people prefer using something more “local” like KeePass because the password file is kept on your devices themselves, somewhere of your choosing (in other words, not in the cloud). Therefore you can ensure the file is encrypted and that the device itself is, and you could keep a backup copy on different (encrypted) devices, etc. Note that if you make updates to your “master file” you will want to export/import it to your other devices, to ensure they are kept in sync (this is a manual rather than automatic process–with a cloud service such as LastPass it would be automatic).

No matter how you choose to achieve better password hygiene, just know that it is worth your time. Don’t be a target. Fight back and protect yourself in whatever ways you can.  If you’d like to be notified of when your email address turns up in real life breaches, visit haveibeenpwned.com, and sign up.

 

Business, Technical , , , 0 Comments
Share:

Leave a Reply

Back to Blog

Related Posts

14Apr

How to initiate a test failover to Azure Site Recovery

If you've been following along with this series, we have already: Extended our On-Premises Network to Azure Virtual Network Replicated Hyper-V Virtual Machines to an Azure Site Recovery Vault In this post we are going to perform a test fail-over of on-premises virtual machines to Azure. Since... read more
01Mar

Limiting privilege in Microsoft 365 Business

One of the most important things you can do for boosting your security posture on any technology platform (Microsoft or otherwise), is limiting administrative privilege. We have long known that any given user should really only have enough access to do their jobs, and nothing... read more
22Nov

How to improve Remote Desktop performance for remote users through an RDS Gateway Server

Do you have a Remote Desktop Server (properly) configured with the Gateway Role in your environment? In this configuration, all traffic is secured via SSL (port 443), and clients connecting over the internet to your internal RDS host(s) will be encrypted (and not necessarily identifiable... read more
19May

How to Remove a Legacy Hybrid Exchange Server and migrate to Windows Server Essentials Office 365 Integration

If you performed a Remote Move migration from a legacy system such as SBS 2011 or Exchange 2010, and now you want to remove your hybrid server without losing the ability to sync passwords to Office 365, I have some good news for you: it's... read more
05Feb

The most important tool in Microsoft 365 that you can adopt in 2021

I get it. The universe is expanding so rapidly these days that it can be difficult to know where you should focus your efforts. If you are having trouble "catching up," do not worry, you are not alone. The IT industry is working on this... read more
26Feb

Reader Question: Differences between Windows 10 Pro and Windows 10 Business

Hi Alex, I’m working on getting some of my clients over to M365 Business from O365 Business Premium. I’ve searched the web and I can’t seem to find a good explanation on the difference between Windows 10 Pro and Windows 10 Business. Is there a... read more
27Aug

Protecting extra-sensitive accounts and data sets in Microsoft 365, Part 2: Apps and Data

Last time we looked at some additional identity-based protections that are possible via additional subscriptions like Enterprise Mobility + Security E5 (which contains Azure AD Premium P2). In this post, we'll work within the same framework, but shift our focus from identity, towards protections which can... read more
07Mar

Add-ons that are NOT compatible with Microsoft 365 Business (yet)

Update 3/9/2019: I had to update this article. I am moving some former content on Identity & Threat Protection to its own article, and expanding on it there. Microsoft 365 Business is a fantastic value, and contains most of what we would like to see in... read more
05Jan

How to migrate mailboxes from Office 365 to… Office 365?

Mergers and acquisitions are probably the most common source of IT headaches in the world.  Whenever you have to deal with the complexities of merging two disparate information systems, you know you're going to run into a number of obstacles. And when both organizations are... read more
01Dec

Why aren’t you charging your customers to take care of Microsoft 365?

This is a simple question. The way I see it, there are many opportunities to provide Managed Services for SMB customers with regard to their Microsoft 365 subscriptions. Yet to this day, hardly anyone is doing it. Why? I suspect some folks have difficulty connecting... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me