In this last post of this series on information security for cooperatives & condominiums, we will take a look at the current thinking on password security and some other final thoughts.
Passwords are both our first line of defense and one of our largest vulnerabilities. Theories and myths about passwords are many – how long should they be, how often they should be changed, what they should contain, etc. While there are many opinions, there are few facts beyond the basics. So, let’s start there.
First, don’t be obvious. So passwords like ‘abcdefg’, ‘12345678’, ‘password’, etc. are all out of the running. These passwords are basically an invitation to be hacked. What you should do instead is create longer passwords. Current recommendations are 12 to 15 characters. Make sure to have at least one uppercase and one lowercase letter, one number, and one special character. By using an extended set of potential characters – outside of just numbers- and longer passwords the number of passwords for a hacker to try grows exponentially – so maybe they’ll quit or go look somewhere else.
How do you remember a password that long? Try using a familiar phrase or the first letters of the words in a well-known sentence. Then replace some letters with numbers – the letter O with zero for example.
Second, don’t use the same password for multiple sensitive places, like banking or brokerage accounts, etc. You can decide for yourself about other types of accounts like streaming services, social media, subscriptions, and more. Also (I hope I don’t really need to say this, but I will) don’t write your passwords on sticky notes and put them on your monitor, your desk or in your desk drawer – this just makes it way too easy for someone to casually access your information.
One of the most frequently asked questions about passwords is how often to change them. There is a tradeoff here – field studies have shown that the more frequently users are forced to change their passwords, the more likely they are to write them down somewhere obvious, thus defeating the purpose of the exercise. The most important reason to change your passwords is to shorten the period your information is exposed if your passwords are compromised.
So, for small organizations, getting everyone to change their passwords when someone leaves the company may be a good practice or if you learn your information has been breached somewhere, such as at another enterprise. Otherwise, it seems to be OK to continue to use a password until circumstances indicate a need to change it.
What about password managers and password books? Password managers are generally a good idea, as long as you can use the same one across multiple devices. They’re secure, they help prevent issues associated with forgetting passwords, and they encourage the use of more secure passwords. The same is true of password books (physical notebooks with all your passwords in them) but they can be considerably less secure if you carry them around with you. They do prove helpful in the case of emergencies when a spouse, significant other, or family member needs to access your accounts.
Lastly, make use of multi-factor authentication (MFA) whenever it is available. MFA (sometimes known as 2-factor authentication) is what you are using when your bank sends a text message to your phone or sends an email with a code to be entered after you provide your password. This makes certain that whoever is trying to access your information at least has access to a 2nd device or other services that you as the account owner should have access to. MFA has been shown to provide very high levels of protection against hacking – again, hackers will just quit or go somewhere else.
To wrap up our discussion, there are a few takeaways to keep in mind. You are a target, even if you don’t realize it. The threats are continuous and getting more sophisticated, so you can no longer just set and forget about your security arrangements – you should revisit your information security stance at least annually and upgrade or enhance your defenses as the threats indicate.
Give serious consideration to not doing all this yourself – leverage the skills and technology of providers who have the scale to do it right.