A Practical Guide to Good Password Hygiene
On December 2nd, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) reported that an Iran-linked hacking group had been targeting US critical infrastructure, specifically US Water Facilities.
Two harsh realities made this hack possible.
First, system misconfigurations allowed systems to be publicly accessible via the internet vs. limiting its access to their intranet. Second, administrators used weak passwords (e.g., “1111”).
Suppose we disassociate the fact that this is critical infrastructure. In that case, this presents a unique opportunity for all of us to take a minute to inventory the systems we interface with daily and rethink how we handle our passwords.
This article will share my approach to ensuring good password hygiene and will include a basic framework you can use today.
Three Steps To Improve Password Hygiene
The simplest things are always the most complex. In this instance, it’s almost always how we manage our passwords. To help, I break every recommendation into three parts:
- Categorize Your Systems
- Leverage Password Managers
- Enable 2FA
1 – Categorize Your Systems
When I speak with users, the challenge is always helping them grasp the scope of the systems they interface with
To help, I always recommend categorizing their systems in this order:
| Priority | Group | Description | Examples |
|---|---|---|---|
| 1 | Communication | These are systems that facilitate how you communicate with friends, colleagues, etc.. | Gmail Signal Verizon etc… |
| 2 | Financial | These are systems related to finances. | PayPal Wize Chase etc… |
| 3 | Social | These are systems we use for our social presence. | TikTok etc… |
| 4 | Work | These are systems specific to our work… | Okta etc… |
| 5 | Everything Else | This a catch all for all other systems… | Amazon Random stores etc… |
It can feel overwhelming the first time you go through the process, but breaking it into these categories helps break the task into more manageable pieces. The prioritization also enables you to hone in on the most critical systems.
Your specific needs can tailor the exact prioritization. For example, I choose “communication” as my number 1 priority because every system I use is tied to one of my emails. In some instances, not only is my email the login mechanism, but other communications tools (e.g., Phone) can also be used as a validation source for access codes and additional important information. This becomes an essential category. This might be different for you, so tailor it as you see fit.
2 – Leverage Password Managers
For years, when talking about passwords, I would recommend using complex, long, and unique passwords. The harsh reality, however, is that, as humans, we’re pretty lazy, and the odds of us doing that for all the systems we interface with is slim to none.
Because of this realization, I embarked on a journey to forget all my passwords while still using passwords. I do this by leveraging password managers.
Think of password managers as a personal vault designed to store your most sensitive information, while also making it easy to retrieve when you need it most. Most have the ability to store a lot more than your passwords.
Don’t worry; most modern password managers have mobile counterparts that make it accessible via your mobile device. Most apps also account for password managers, allowing for auto-detection if it’s installed, and they dynamically push the credentials securely to make it easy to work with.
Some of the more common Password Managers include:
3 – Enable Two Factor Authentication (2FA)
The last bit of advice is always to enable Two Factor Authentication (2FA) or some form of Multi-Factor Authentication.
Two-factor authentication (2FA) is like having an extra layer of security for your online accounts. Imagine you have a safe where you keep your valuables. Instead of just needing one key to open it, 2FA is like requiring a second key or a unique code in addition to your regular key. So, even if someone gets hold of your primary key (like your password), they still need that extra information to access your valuables. This makes it much harder for someone to abuse your system.
Most modern systems today have some form of 2FA option available. You can typically find it in your account under Settings > Security. If in doubt, reach out to the customer support teams and ask them how to enable 2FA.
In almost all cases, they will allow you to use SMS, Email, or an Authenticator App. I almost always choose an Authenticator App. Some of the more common apps include:
- Google Authenticator (Apple and Android)
- Microsoft Authenticator
- Authy
Simple Doesn’t Mean Easy
I’ve spent the past 15 years educating users on the importance of online safety, and the one thing I have learned is that the most straightforward recommendations (e.g., use a strong password) are often the hardest to adopt.
I get it. We’re busy. We interface with countless systems daily. We sign up for things on the go via our mobile devices or others.
Unfortunately, cyber threats are a real threat for all of us. While we might not be critical infrastructure and have to worry about state-sponsored threats, bad actors are interested in what we have. I hope this article serves as a timely reminder of this and that you can use it as a guide to help you improve your general password hygiene.