Effective passwords the anchor of cybersecurity

It seems like reports emerge about a new cyber hack almost every day – and the numbers are staggering. Just recently, for example, telecommunications giant T-Mobile disclosed that a hacker stole personal information from 37 million current customers in a November data breach. Small businesses are equally at risk, so entrepreneurs of all sizes should consider ways to reinforce the “moats” around their sensitive data. A good starting point is to revisit current passwords. 

They are the first line of defense in a Cybersecurity plan, but passwords have to meet certain conditions to help prevent unauthorized individuals from accessing sensitive cyber accounts. To begin with, any good Managed IT services provider knows that passwords should be unique, which excludes easy-to-guess combinations like ABC or 123.  

That condition also means passwords should never be based on the creator’s personal information: birthdays, family names, or addresses may be easy to remember, but attackers can easily crack them by scouring social media platforms and other sources. Some business owners use a four-digit Personal Identification Number (PIN) instead, but that is also often made up of a combination of the month, day, or year of their birthday, their address, or phone number, which are all available on the Dark Web or from other sources. 

What about using a random word? With more than 100,000 entries in the average dictionary, it is tempting. But hackers can get around that with sophisticated software that mounts “dictionary attacks,” deploying volumes of pre-selected words and phrases in a brute-force assault. And hackers are wise to the trick of intentionally misspelling a word (like nite instead of night), so that strategy is also a non-starter. 

Cyber Security professionals find that a more effective password approach involves deploying a series of words that are linked by memory techniques or mnemonics. For example, instead of the password baseball, a user can select the combination IlTpHB for “[I] [l]ike [T]o [p]lay [H]ard[B]all.” Interspersing symbols and numbers with lowercase and capital letters adds another layer of protection: modifying the above with Il!2pHb, for example, results in a password that cannot be found in any dictionary. 

Cyber Security Managed Services professionals also find that using the longest password or passphrase permissible (generally from 8 to 64 characters) is another good move. A password like Pattern2baseball#4mYmiemale! will not be easily cracked since it utilizes 28 characters and includes upper and lowercase letters, numbers, and special symbols. 

Once a strong effective password is developed, a business owner may be tempted to use it for a variety of sensitive accounts, since there are fewer codes to memorize. But that can put a company’s records at risk since, if an attacker does manage to crack the single password, they now have easy access to every account that uses it. The solution is to develop and deploy multiple unique passwords, one for each sensitive email or account. Admittedly, it is not easy to remember each one. The FOGLO — Fear of Getting Locked Out — over too many failed sign-in attempts — is a valid concern. But a password manager can help with that. 

A password manager is a software application — popular ones include ITGlue or Passportal’s N-able — that can manage online credentials and generate passwords that are stored in an encrypted database. The database itself is also locked behind a master password. This way an authorized user only needs to remember a single (effective) password. Once the master password is entered, a kind of password digital vault is unlocked, enabling the user to retrieve the specific password needed. 

Additionally, each time a new account is created, the password manager will check to see if the user wants to roll out an auto-generated password — which will be long, alphanumeric, randomly generated, and highly resistant to hacker guesses. Developing a secure, unique password for each account will go a long way toward thwarting cyber criminals, but digital defenses can be further reinforced with another important Cyber Security tool: multifactor authentication, or MFA. 

Each time someone tries to access an account, MFA adds a layer of protection by sending out an additional identity verification request, such as a requirement to scan a fingerprint or to enter a code received by a mobile phone or another device. This concept can be compared to wearing both a seat belt and a shoulder belt: either one is good but using both is better. 

Digital devices have become embedded in the business and personal activity and offer plenty of efficiencies — but the advances have also offered more opportunities to bad actors. Fortunately, strategies like strong passwords, password managers, and MFA can help to reinforce digital barricades and assist in keeping hackers and others away. 

Carl Mazzanti is president of eMazzanti Technologies in Hoboken, NJ, providing IT consulting services for businesses ranging from home offices to multi-national corporations.