Creating an excellent password is a hot topic of conversation, especially each year on the first Thursday in May, which is “World Password Day.” We’re glad that there’s a day set aside for talking about passwords, but even if it isn’t Password Day when you read this, you can still take some time to think about your passwords. So how do you create an excellent password? What are some tips?
Microsoft released their updated password guidance way back in 2016, which seems like a lifetime ago. At Community IT Innovators we have rooted our password recommendations in their research, and adapted it to take advantage of new tools and systems that have emerged. In general, you need to have a small number of remember-able passwords; one to login to your computer and another password to login to your password manager application.
Think of this as having a password to the gate to get into your yard, and another to the gate to get into your garden, which is surrounded by a fence. All your other passwords are growing in the garden, protected by these two outer gates. Once you are within your garden fence, you have complete access to all your other passwords, so you don’t need to memorize them, you can always look them up from within the safety of the fence, away from prying eyes. However, you would want your two important passwords, to the yard and to the garden, to be very difficult to guess and kept very private, because anyone with those passwords can access all the other passwords in your garden.
How to Create an Excellent Password:
Tips for creating an excellent password:
- Passwords should be at least 8 characters. They should be something you can remember without writing down for reference.
- Passwords should be unique for every system that you access. If hackers buy a list with your login and password, they will try to use that combo for other valuable accounts in the hopes that you have reused it.
- Don’t use common password combinations such as your name, the word “password,” or adding 1 or ! onto a dictionary word. One method is to think of a phrase you can remember easily, then use the first letter of each word of that phrase to create your password. You can also use a long word or combine two random words, but substitute special characters for letters such as @ for a, or 3 for e. Be aware, however, that any word in your password will be “cracked” by hackers; more easily if it is repeated (such as f0urf0urf0urf0ur)
- Your password phrase or word should be as random as possible, and not be associated with you elsewhere online, for example the name of your hometown. And you should use caution filling out online quizzes that seek to get you to share personal details like the types of cars you have owned, names of all your past pets, etc. These are too often a ploy to get personal details that can be matched to your other online accounts.
- Good long master passwords are technically better than shorter passwords. However, considerable research shows that humans have difficulty remembering longer passwords which often leads to creating a password by combining or repeating words, which makes it easier to guess. Increased length provides more security, but a password must be 16 characters or more to be truly secure against brute force attacks (trying every combination at high speeds). Taking into account human fallibility, master passwords that you must remember must be: easy to remember, never used for more than one account, and as long as possible over 8 characters (16 characters if possible).
- Using a password manager such as LastPass, 1Password or Dashlane makes it easy to generate and store unique and complex passwords. This is the equivalent of the password on the garden gate, protecting all your other passwords within the garden fence.
- Enable Multi-Factor Authentication (MFA) on your accounts whenever possible. This tool allows you to further safeguard your most important logins with a second authentication using something you physically have with you, such as a text to your phone or a physical key. Check out our guide Nonprofits Should Require Multi-Factor Authentication for more tips.
- If you’re responsible for your Organization’s IT, look into Single Sign On (SSO) solutions to minimize the use of passwords and to streamline monitoring and account onboarding/offboarding. Microsoft Azure and Okta are two sources of SSO solutions for nonprofits, and there are many others.
How often should I change my password?
Now that you have chosen an excellent password that is long, strong, and easy to remember, how long before you will be forced to choose a new one?
The good news is, passwords don’t need to be changed regularly just for the sake of rotation. If you have a strong and unique password that you have never used elsewhere and that is protected with MFA, then there may never be a need to reset that password.
You should regularly check up on your accounts, however, especially free older email accounts such as Yahoo which have been compromised many times over the years. Using free services like https://www.haveibeenpwned.com or managed services like ID Agent that scour the dark web for compromised accounts can help inform you if you need to create new credentials for a service that has been compromised.
And it can be a good idea to change a password when you learn of a security breach that may impact an email account of yours, such as the data breaches at Target or Sony. Of course, if you are following good password hygiene and not ever reusing passwords your risk is far lower when such a breach occurs!
What about administrator accounts?
Privileged accounts (typically domain, global or super admins) should be optimized for security since no human needs to memorize these passwords. The account names should also avoid using common Admin names (such as support, exchange, admin, etc) to reduce vulnerability to brute force attacks. So how to create an excellent password for an admin account?
Administrator level passwords with privileged access:
- Should maximize the possible length of passwords for each platform.
- Should not be memorized.
- Should avoid passphrases (ie. quickbrownfoxjumpedover) to discourage memorization.
- Using complex passwords is a challenge, so the use of a password manager is required.
Solutions such as Secret Server Online from Thycotic, Last Pass or Dashlane are indispensable. The staggering amount of data breaches means that there are enormous databases of valid credentials available to the bad guys. You can get notified if an account you use has appeared in a breach at the site https://haveibeenpwned.com/. This site will let you know what breaches a specific email address has been exposed in.
Any change to your nonprofit cybersecurity environment depends on several factors for success.
- First, you will need the buy-in of your employees and colleagues. They are the front line in your defense against cybercrime, and you can’t defend yourself from account compromise without them. For more information on change management and nonprofit cybersecurity, you can download our free Guide to Getting Started with Cybersecurity at Your Organization.
- Second, you will need to talk to your IT provider or IT department about training end users in how to create an excellent password, develop an implementation plan, and roll it out.
- Third, be prepared for account compromise. This may sound counter-intuitive, but even though requiring strong passwords and training users will strengthen your cybersecurity considerably, there is no fool-proof security solution. Creating a nonprofit incident response plan with your IT department or provider will give you a better game plan to get back on your feet quickly in the event that an account is compromised, and the process of creating a plan will help you better assess and mitigate the real threats your organization faces.
Ready to reduce your nonprofit cybersecurity risk?
Choosing a strong and unique password, combined with MFA, is the best way that you can protect your digital identity, both in the personal and professional sphere. Requiring strong passwords and using password managers and SSO at your nonprofit is a quick and easy step you can take to secure your reputation and deflect hackers.
At Community IT Innovators, we’ve found that many nonprofit organizations deal with more cybersecurity risks than they should have to. As a result, cyber damages are all too common.
Our process is different. Our techs are nonprofit cybersecurity experts. We constantly research and evaluate new technology solutions to ensure that you get cutting-edge solutions that are tailored to keep your organization secure. We published our Nonprofit Cybersecurity: a Guide for 2020 to help our community understand the issues. And we ensure you get the highest value possible by bringing 25 years of expertise in exclusively serving nonprofits to bear in your environment.
Learning how to create an excellent password is a first step, one that all your nonprofit staff should take. Password security is a vital part of any robust cybersecurity stance – and working with Community IT can reduce the likelihood that you’ll experience an effective attack in the first place. If you’re ready to gain peace of mind about your cybersecurity, let’s talk.