January 29, 2015
3 Quick Things to Teach Your Users About Password Security
Information Technology administrators know the value of password security. Communicating the value of strong passwords to your end-users, however, can often prove to be a challenge. Below are the three aspects of strong passwords all IT admins should teach their users—in plan, non-technical language most users can understand.
1. No one needs your password, ever
Here’s an easy way to tell if someone is trying to steal information from you, or do damage to your technology: They ask for your password.
No person ever needs your password. Not your boss. Not your co-worker. Not the tech support lady on the phone or the repair guy standing over your laptop. Nobody needs your password.
Any of the people who really, legitimately to need to access your system can get in without your password. They have privileges on your system necessary to their jobs.
The only reason someone needs your password is to fool a computer or an online service into thinking they are really you. That’s not legitimate behavior. Don’t give out your password.
“But what about those websites that say I can log in with Facebook or Google?” you ask. Those websites don’t ask for your password. They send you to a little pop-up window on Google or Facebook or Twitter, and you can log into Google or Facebook or Twitter.
Then, Google or Facebook or Twitter send an encrypted bit of code called a token that tells the website who you are, but doesn’t tell the website your password. Not even other websites should give out your password.
Don’t give out your password, to anyone or anything, ever.
2. Use a passphrase, not a password
You’re really bad at picking passwords. Don’t worry, most people are. In fact, hackers can usually guess your password because most people pick really common, really simple, really insecure passwords. Passwords like 123456 and, well, password.
Short passwords, that contain obvious words, are easier for hackers and thieves to guess. Hackers can simply try any of the most common passwords first and, if that fails, they just use a program that tries random words or common sequences of numbers. And when that fails, hackers try random series of letter and numbers.
The longer and less common your password, the harder it is for hackers to guess.
Now, most people choose short, simple, obvious passwords because they are easy to remember. Long, complicated passwords are harder to guess, but are also harder to remember. That’s why you shouldn’t use a password; you should use a passphrase.
A passphrase is a short sentence that’s easy to remember but, hopefully, is hard to guess. So, for example, instead of using your daughter’s birth date as a password, use I love my baby girl 4-ever as a passphrase. You probably can’t remember a 16-digit random string of numbers and letters, but you can remember that you’ll always love your little girl.
And, best of all, hackers won’t be nearly as likely to guess your passphrase.
3. Use two-factor authentication wherever you can
Even if you don’t give out your password and you use a good passphrase, it’s really only a matter of time before a hacker gets ahold of your password. Hackers steal millions upon millions of passwords every year—through no fault of the users that lose them.
That’s why you need a second line of defense: two-factor authentication.
Think of your password as a key that unlocks the door to your computer and your online accounts. If someone steals the key, they unlock that door and walk into your system, stealing or wrecking anything inside.
Two-factor authentication is like installing a deadlock lock above the lock already in your computer’s door—a deadbolt that uses a different key from the door itself. Thus, if a hacker wants to get inside your computer, they would need to steal two different keys.
Where the analogy breaks down is that two-factor authentication isn’t about using two different passwords. Two-factor authentication uses a password and then some other piece of information stored separate from your password.
For example, many modern laptops include fingerprint readers, which require you enter a password and scan your forefinger or thumb to access the system. Services like Gmail or Twitter can send special codes to your smartphone—either by voice call, text message or through an app—that you must combine with your password to log in.
With two-factor authentication, a hacker has to do more than steal a list of passwords from a server somewhere to hack into your computer. Hackers would need to steal your password and physically steal your smartphone (or your thumb) to get into your computer, and that is far, far less likely.
So, to wrap it all up: Don’t share your password with anyone. Use a passphrase instead of a password. Combine your passphrase with two-factor authentication. Follow those three steps and no one but you will ever get access to your computer or your online accounts.