Every year around this time, I have to fill out my company’s cyber insurance application, and every year they ask me if we encourage strong passwords and change them often. This question really annoys me, because we really shouldn’t change passwords often. Instead, we should choose authentication processes that adequately match the risks of the site; using a password should be the Last what you want to rely on.
First, think about the information and data a website holds about you. The sites that we want to offer the most protections often have the weakest. Where you can, always add two-factor authentication when logging into a site. (Not all multi-factor authentication is created equal, but some sort of multi-factor is better than none. If it encourages attackers to go elsewhere, it’s done its job.
Banks and financial organizations often implement authentication software slowly, so you have to make do with a username, a password, and then a two-factor authentication tool, usually text sent to your smartphone. While smartphone SIM chips can be cloned (so that attackers can spoof your phone and intercept messages), the vast majority of us are even better off with this process. Relying on just a username and password to log into your bank puts your account at risk.
To be honest, not all passwords are created equal. If you’ve reused a password on another website or for another bank account, you’re more at risk. Attackers often steal or purchase an archive of compromised passwords or “hashes” of passwords and then attempt to reuse them to gain access to other sites. If you’ve ever received a password reset notification and haven’t attempted to log into your account, it’s likely that you’re dealing with an attacker attempting a password stuffing attack on the site. So don’t reuse the same password everywhere.
For years, online users have been told to vary their usernames to see if a site was selling your information elsewhere. Now, I see the same kind of recommendation for choosing a password or passphrase. There’s a very funny online video which nails the process people use to choose passwords. You started by choosing a password and then you use it everywhere. So when a site says one isn’t good enough, add another letter. So you need a special character (like exclamation mark). The truth is, our brains can only hold so much information, which is why we tend to reuse the same password, or a variation thereof, across multiple sites.
Microsoft often recommends the use of PINs about passwords. It claims that a PIN is specific to the device, so if an attacker steals your PIN, they have to steal the device as well. There is a problem with this argument. I have several devices that require a PIN and I have to admit that I use the same PIN on all of them because I can’t remember PINs any better than passwords. According to Microsoft, the benefit of a PIN is that “when the PIN is created, it establishes a trust relationship with the identity provider and creates an asymmetric key pair that is used for authentication.” A PIN is backed up by the Trusted Platform Module (TPM) chip on your computer. (If you’ve wondered why you had a Windows 10 computer that required you to use a PIN instead of a password, it’s because the operating system registered that you had the necessary hardware to support the process.) If you don’t need or want to have a PIN you can remove it. Press the Windows key and the I key to open settings. Choose accounts and then click continue. In the left panel, click on access options. In the right panel, choose “Remove”, in the PIN section.
Efforts to improve online security are spreading. Intuit recently started requiring a password online, even to log in to desk version of QuickBooks, its bookkeeping and bookkeeping software. Those with a QuickBooks file that includes sensitive information such as payslips or credit cards he also needs to sign in with an online account first. For years desktop users have only needed a username. Even so, many users felt the change felt heavy, especially when combined with a mandate to change password every 90 days. (Even here is the idea that changing passwords is preferable to better passwords or using the Google authenticator app to log into your Intuit account.
Even if you’re a small business, you can add two-factor authentication to your computer login to strengthen security. Duo.com, for example, offers DUO free for deployment with less than 10 users. Provides a two-factor request to a smartphone or even the Apple Watch. I use it in my office for remote access to ensure that when someone connects from outside the office, they have to answer a request on their phone to gain access. Its ease of use means I can ensure remote access is secure and I can avoid excessive password changes.
If you are a cyber insurance vendor or agency, listen up! Stop asking me to change my password. Instead, ask me what my favorite multifactor application is. This is the fastest way to improve security for most users.
Copyright © 2022 IDG Communications, Inc.