MACH37 Cybersecurity Guide: Passwords and Multi-factor Authentication

Key Takeaways

  • Length is more important than complexity for the strength of a password.

  • Using a password manager can help you keep track of many hard to remember passwords.

  • Enabling MFA wherever possible will ensure that even in the event of a password breach, a hacker will not be able to access your account. 

Passwords are the most common means of authentication in the cyber world, but only work if they are hard to guess and kept confidential. Passwords are a part of everyday life now: from opening your cell phone, to using your debit card, or logging in to your email. Since passwords are ingrained into so many processes nowadays, it can seem like a burden to remember dozens of complex combinations of letters, numbers, and symbols; however, their commonness should not be confused with unimportance. Some of the largest and costliest hacks begin with a single compromised password

This installment of the MACH37 Cybersecurity Guide will cover what is actually important when choosing a password, tips for managing many passwords, and when and how to set up Multi-factor Authentication (MFA).

Passwords

Go for length over complexity

You are probably used to hearing that you should include one capital letter, one special symbol, one number, etc., in order to make your password more difficult to guess. A paper from the National Institute of Standards and Technology (NIST) found that “analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought” and concludes “password length has been found to be a primary factor in characterizing password strength”. 

Research has shown that users respond in very predictable ways to the requirements imposed by these complexity rules. For example, a user that might have chosen “password” as their password would be relatively likely to choose “Password1” if required to include an uppercase letter and a number, or “Password1!” if a symbol is also required.

We can grasp the intuition for why length is more important if we think about it mathematically. If a hacker is trying to guess your password with brute force and you choose a complex password with 5 lowercase letters, one special symbol, and one number, then for each character it could be any 26 of the letters, any 32 of the special characters, or any 10 of the numbers. So there are 68^7 or about 6.7 trillion (a 13 digit number) possibilities. Now what if you choose a password with 11 lowercase letters (only 4 more characters)? That comes out to 26^11 or about 3 quadrillion 670 trillion... (a 16 digit number). The takeaway? Drop the crazy, complex mixture of upper case letters, symbols, and numbers. Instead, opt for something more user-friendly but with at least eight characters and a maximum length of 64 characters.

Guidance

These are the current best practices for choosing passwords:

  • According to NIST guidance, you should consider using the longest password or passphrase permissible (16-64 characters)

  • Don’t use the same password twice.

  • Reset your password when you forget it. But, change it once per year as a general refresh.

  • It’s important to mix things up—get creative with easy-to-remember ways to customize your standard password for different sites. Having different passwords for various accounts can help prevent cyber criminals from gaining access to these accounts and protect you in the event of a breach.

  • Never leave a password hint out in the open or make it publicly available for hackers to see

Use a Password Manager

A lot of us have trouble remembering the dozens of passwords we need and get sick of resetting them constantly. The most secure way to store all your unique passwords is by using a password manager. With just one master password, a computer can generate and retrieve passwords for every account you have—protecting your online information, including credit card numbers and their three-digit CVV codes, answers to security questions, and more.

Password managers also generate strong passwords for you, and they retain your login credentials, so you don’t have to remember them. Here is a list of the most popular password managers of 2021.

Multi-factor Authentication (MFA)

No matter how long and strong your password is, a breach is always possible. All it takes is for just one of your accounts to be hacked, and your personal information and other accounts can become accessible to cyber criminals.

Enable multi-factor authentication (MFA) to ensure that the only person who has access to your account is you. Use it for email, banking, social media, and any other service that requires logging in. If MFA is an option, enable it by using a trusted mobile device, such as your smartphone, an authenticator app, or a secure token—a small physical device that can hook onto your key ring. This way, even if cyber criminals guess your password, they’re still out and can't get in.

You can check your security settings for different accounts to opt-in for MFA. Here are full instructions for setting up MFA for your Gmail account

Conclusion

Passwords can be a weak link in your cyber life or an impenetrable wall. By choosing long unique passwords for your accounts, you make it near impossible for hackers to guess your password even with advanced password cracking techniques. Password managers are a great tool for assisting you in keeping track of all these great passwords and MFA is a critical step to prevent fraud on your accounts. Lastly, have fun coming up with your creative easy-to-remember passwords, make yourself laugh!