The start of the new year is a good time to take inventory of your cybersecurity readiness, and one of the best places to start is with your password management strategy. Given that the average user often maintains well over 100 passwords opens in a new window, the best course of action continues to be the use of a password manager configured with Multi-Factor Authentication opens in a new window (MFA). However, research has shown opens in a new window that users should still examine their passwords periodically to make sure they are as secure as they can be.
First, users must be diligent about using complex, randomly generated passwords. Most password management platforms have a “generate password” feature that will recommend a randomly created string of characters, often leveraging all four character types – number, upper case letter, lower case letter, and special character. Freed from the need to memorize, there is no reason to avoid the use of complex passwords.
Second, be sure to review the saved passwords in your vault for any legacy weak or reused passwords. Some users may have adopted a password management system and simply imported insecure legacy password into the database. Most password management systems now feature the ability to spot commonly repeated, passwords used across different accounts, or weak passwords in their vaults – it’s best to follow their advice when offered and change accordingly.
Third, your password vault must be protected by a complex, randomly generated password. In a work environment, it’s common to tie a user’s network login credentials to their password management vault, allowing for the enforcement of complex password requirements. However, if setting the password on your vault is controllable by the end-user, this must be the most complex and lengthy password as can be remembered.
Fourth and possibly the most important and simplest of all. Do not ever share your passwords with anyone. This is especially true of the password to your vault.
Thomas Flores is the Sourcepass Director of Cyber Security Incident Response