Cybersecurity Awareness Month: Secure Your Passwords

by Andrew Whitaker

Stories of identity theft and data breaches are all too common in our headlines these days. If the cybersecurity headlines of 2018 were put in a book, every page would reveal a depressing fact.

A social media giant has 87 million records breached

An apparel company has 150 million records breached

A marketing firm has 340 million records breached

Cities hacked across the country

State-sponsored hacks against voting systems

You get the idea. By the time you reach half way through the book of headlines, you are ready to put it down. Is there any hope for living in a world where our online identities can be safe?

I enjoy reading suspense novels. A good suspense novel leads the reader to a point of insurmountable odds, only to have the one lucky break that allows the heroine or hero the opportunity to escape the villain, solve the crime, or rise above the disaster. I read suspense novels to remind me that no matter how bombarded we are with news of data breaches, there is always a way to turn the story around.

Yes, data breaches happen. Yes, online technology is always a risk. Of course, we take risks all the time. One the time I decided to eat sushi in a diner in the middle of the Pocono Mountains. Trust me, I won’t do that again any time soon! So yes, bad things happen to all of us. Headlines about data breaches have not stopped people from going online, but it should make us more aware of the dangers and be smart about how we go online.

This October marks the 15th anniversary of National Cybersecurity Awareness Month. Seattle Information Technology joins a collaborative effort between the U.S. Department of Homeland Security and the National Cyber Security Alliance to help raise awareness during this month. Over the next few weeks, we will share a series of short blog articles on how you can take small steps that can make huge impacts in protecting your identity when using technology online.

For this first post, let’s talk about secure passwords. Now, I know that doesn’t sound very exciting, and I wish I was talking about some advanced hacker technique, but the reality is that weak passwords remain the number one way hackers get into accounts. No matter what online service you use, chances are that the website requires you to log in with a username and password. They identify and authenticate your identity.

Here are three tips to secure your passwords:

  1. Use long passwords. I’ll spare you the fancy mathematical algorithms to just say that the longer the password the harder it is to figure out. In fact, in most cases, that matters more than the complexity. For example, take a lottery ticket. How easy would it be for someone to get the winning number if the lottery ticket only had four numbers each ranging from 0-9? Now, many in the security community will debate what the right number of characters should be, and rather than if the password should be eight or thirty characters. I suggest this: Try to improve your cyber presence by increasing the number of characters in your password by four characters this year. Whatever passwords you currently use now, change them and add four more characters. Next year, increase it again. When you get to twenty characters or more, you can stop, because at that point you are just typing the alphabet.
  2. Don’t write down your passwords. If you were to look in your wallet or purse right now, chances are your driver’s license or other identification is there. Whether you are going through TSA at an airport security line, or entering a 21 an over bar, you are asked to validate that you are who you are, and that is done through a form of identification. Your physical ID is not unlike your password. You let others look at it, but you do not give it away. In the same way, secure your passwords. Do not give them away by writing them on notes and sticking them around your computer. There are several secure password management tools to help secure your passwords. I use KeePass. LastPass is another popular one. Both store your passwords in a secure location and require a strong password to unlock and access passwords.
  3. Change your social media and email account passwords frequently. Many websites these days offer you the option of connecting to your Facebook, Google, or other popular online account. Using that integration takes away the challenge of remembering multiple passwords. Yet, if your password is ever compromised, ever site that uses the same authentication through Facebook, Google, or other popular sites, will also be compromised. Often, hackers will hold on to those passwords for a long time, trying to sell them to other people, and you won’t even realize that you have been hacked for months later. Changing your password frequently protects you if your password is compromised, and you do not know it yet. How often should you change your password? Security professionals argue everything from once a month to once every six months. I recommend keeping it simple: change your password every time you change your toothbrush (assuming, of course, you change your toothbrush regularly!). The American Dental Association recommends that you replace your toothbrush approximately every three to four months. If you can remember that, just change your passwords next time you change your toothbrush. Your online identity and your dentist will thank you!

 

Director of Security, Risk, and Compliance Andrew Whitaker leads information assurance, security operations, regulatory compliance, and IT policy across all City departments. His cybersecurity specialties include building lean security programs, integrating security into business processes, intelligence-driven threat modeling, and security awareness and training.

He has over 20 years of experience in both the public and private sector, leading consulting services for defense, federal, and intelligence agencies, all branches of the US military, and over a third of the Fortune 500 companies.