In a rush? Listen to this post instead:
How to Protect Your Information
The first line of defense in information security is… you!
Obviously, anyone who has access to your data has an obligation to store it securely, protect it from unauthorized access, and keep your identity, data, and money safe. But, it doesn’t matter how secure your financial institution is if you don’t take some simple steps to protect yourself.
This post will focus on choosing a secure password to help protect your data.
Common Myths of Password Security
There are a lot of common security practices that, when done right, can lead to better security and stronger passwords. However, it is just as likely that forcing users to conform to specific standards can lead to less secure passwords. That’s why we believe step 1 in choosing a secure password isn’t creating onerous requirements for our users.
Rather, it is educating you on some good practices so that you can make informed decisions for yourself.
Changing Passwords Every 90 Days Guarantees Security
Don’t get us wrong – you definitely want to change your passwords eventually. However, when users are forced to change their passwords frequently, they typically use an incremental password, meaning hunter2 becomes hunter3 and so on. How many of you reading this are “guilty” of something like this? These incremental passwords are no more secure than the previous password and are equally easy (or hard) to guess. Don’t believe us, here’s a good synopsis on a couple peer-reviewed studies that show the potential detrimental effects of frequent password changes. So, when you do change your password, make sure to make it unique, unpredictable, and do it at an uneven interval.
Using a Password Manager is Perfectly Secure
There is no question that a password manager is better than writing your password on a sticky note or saving them to a word document (even an encrypted one). However, if someone gains access to your master password, they now have knowledge of and access to every site that you have stored in them. It won’t matter how secure your site passwords are if someone can access them with ease, so knowing how to craft a secure master password is even more important.
Interested in learning more? Here are some pros and cons to password managers so you can make an informed decision for yourself.
Long Passwords Are ALWAYS Better
The more characters you use, the harder it will be to guess your password using a pure, uninformed “brute force” attack. However, attackers are smart, so before they try every possible combination in order, they start with some really common passwords. Choosing something like 123456789 or password1 is mathematically more difficult to brute force than a password like 6BqP9@.
In practice, however, using sequences (e.g. 1234), common dictionary words (e.g.: password), and common substitutions (e.g.: a = @, s = $) makes the attackers job much easier.
Choosing a Secure Password
Secure passwords have some common characteristics. NASA publishes some pretty clear guidelines on secure passwords for their users that adhere to NIST identity protection guidelines but are presented in a way that is easy to read and understand. Some things to consider when choosing your password:
- Hard to Guess (e.g. unpredictable)
- Easy to Remember (so you don’t need to write it down)
- Unique (meaning, you don’t use it on other websites)
Passwords like g5pe@cK7WY^9 definitely qualify as hard to guess, but how easy to remember is that? Passwords like JaredCnote! might be easy to remember and unique for you, but are also pretty easy to guess.
The best password is a random one, but it turns out humans like patterns and therefore create “random” passwords in very predictable ways. This makes it really easy for cyber-thieves to guess them. It turns out that choosing 4 random words can make a really secure, easy to remember password. Here’s a fun (albeit slightly technical) webcomic about random four-word passphrases.
Now… can you remember a different 4 random word combination for every site you use? Probably not. But, if you use a very secure passphrase as your master password for your favorite password manager, you can protect your digital vault reasonably well. Then, you can use that password manager to ensure you have unique, truly random, highly secure passwords that are remembered for you.
Choosing your secure password is only half the battle. Keeping it secure is the other half. For this reason, you should never share your password with anyone else. The only place you should use your CNote password, for example, is on the CNote login page – our employees will never ask you for your password and you should never volunteer it to us.
The Password Game by Carnegie Mellon University will test your knowledge of what a secure password really is.