Trial Magazine

Consider implementing a firmwide password policy that reflects the industry’s best practices. Here’s how your employees can make their passwords more secure.

1.    Don’t repeat. Hackers know that most people don’t want to remember more than one password and use the same one for every website that requires a login. Hackers who obtain someone’s personal information from a large website like Yahoo can easily visit common websites—with email address and password in hand—and shop their way through an unsuspecting victim’s credit card limit. Protect yourself by creating a different password for each website you frequent. 

2.    Use more characters and include a mix. A modern computer with a processing speed of 2.8 GHz can test 588,235 passwords per second.¹ Thus, if a hacker using one of these basic computers attempts to crack an eight-character password of all lowercase letters, it would take about two days to uncover the password. Using a modern supercomputer, it would take only 1.8 seconds. Words from the dictionary or common names are considered weak passwords because they are easy to guess and, ultimately, easier to hack. Truly secure passwords have at least a minimum of 12 characters and include a mix of numbers, symbols, capital letters, and lowercase letters. Don’t rely on obvious substitutions: “Pa$$word” isn’t much stronger than “Password” just because it contains dollar signs.

3.    Use a password manager. Many programs are available to help generate and manage strong password combinations across multiple devices and software platforms. Applications such as Dashlane ($39.99), 1Password ($34.99), or LastPass ($48 per year) can be installed on desktops, laptops, and mobile devices, making it simple for the user to keep track of passcodes.²

4.    Update regularly. Remember, the Yahoo hack occurred in 2013, but it didn’t come to light for a few years. This is the rule as opposed to the exception for most hacks. Regularly change your passwords to stay ahead of anyone who has obtained your information before you’ve been notified of a breach. The industry standard has been to change passwords every 30 to 180 days. However, there is some debate as to whether this frequency really affects security or just increases user frustration. One option is to require employees to change passwords at least once per year.

5.    Use two-factor authentication. Two-factor authentication is an added level of security that requires an extra piece of information beyond just a username and password for accessing a website. For instance, when logging into DropBox from a new IP address, you may be required to enter a six-digit code that is sent to the phone number on file with the service, as well as your username and password. This gives the account owner an additional opportunity to detect unauthorized users. Two-factor authentication typically is enabled when creating an account or set up later through the software’s administrative functions. In some software, such as online Quickbooks, two-factor authentication is required whenever logging into an account from an unrecognized computer or browser. Before logging in, Quickbooks will text a code to the user to verify his or her identity.

Notes

1. Calculating Password Complexity, Thycotic (Mar. 28, 2016), https://thycotic.force.com/support/s/article/Calculating-Password-Complexity
2. Pricing varies depending on the level of service purchased.