Recapping Password Usage (4 of 4)

This post is the fourth in a series of four about the current role of passwords in cybersecurity. Specifically we will explore and explain how the changing threat environment moves the password from primary identity confirmation to a more supporting role.

While our focus here at Pythia Cyber is helping companies make the best choices in their cybersecurity, this series touches on the user experience as we are all users and that shared experience is helpful in describing how cybersecurity should be deployed inside your organization.

The first post in this series is here. The second post is here. The third post is here.

So far in this series we’ve covered weaknesses in passwords as a login strategy, and the importance of Multi-Factor Authentication (MFA) to provide a safety net. Now that we have MFA in place (you turned it on after reading the last post - right?), let’s talk about how to use passwords effectively.

We mentioned before that you shouldn’t reuse passwords. Your local swimming pool (for example) doesn’t have security good enough to protect your investment account password. But we all have dozens or even hundreds of accounts, so how to keep track of all those passwords?

Enter the password manager. A password manager is an app integrated with your web browser that remembers your passwords for you. You need a password to access it - this one you need to remember! - but then you can generate truly random passwords for every online account. You don’t need to remember them, that’s the password manager’s job.

Some password managers are integrated into your web browser, others exist as separate applications. Fancier password managers allow sharing passwords between (for example) family members, for joint accounts. Reviewing the password managers on the market is beyond the scope of this article - but buyer beware! Some password managers have a poor security track record (shocking though this is), and there are few targets more attractive to a hacker than a poorly-protected collection of passwords. Do your research. (Tempting targets such as all your passwords in a single place are covered in this post.)

Rotating passwords - that is, changing the password on an existing account - is another good security strategy. Changing a password restarts the clock on any of those password-hackers we mentioned several posts back, changing the attack from “guess the password” to “guess the password before it changes”. Some password managers can help remove the drudgery from password rotation. Password rotation policies are particularly useful in our professional lives - we ourselves follow good password hygiene (right?), but we may  have colleagues who need a nudge every 3-to-6-months to change up the password they’re using.

Once we’re using all these tools, it still makes sense to choose passwords that are “strong enough” - not an actual word with a number on the end. But because you’re only using that password on one account, turning on MFA, and rotating your passwords - it’s no longer the only line of defense. Spread your energy across all these topics, rather putting all of it into trying to come up with the perfect password. Because, as we’ve seen, there really isn’t one.