By Mark R. Torello, CPA, CITP, CRISC, CFE, CISA, Partner-in-Charge, Whittlesey Technology
Reprinted with permission of the Connecticut Society of CPAs
In the field of cybersecurity, most things we do to increase security have an equally significant “opposite” effect on productivity. Simply put, they make your life harder.
That’s because we cybersecurity professionals need to put hurdles in the way of the attackers to stop them – or at least slow them down. Many systems require long, complex passwords that must be changed frequently. This can really make life harder for users when we can’t remember our credentials or even get locked out of our systems.
Then there’s multifactor authentication, where users must prove who they are using more than just a username or password – such as confirmation through a phone app, an additional code entered, or a fingerprint or face ID.
These safeguards are imperative to protect our online systems, but can be a hassle and slow down users.
Challenges with passwords
Why are passwords so challenging? One reason is that every system has its own rules for what constitutes an acceptable password. Some require uppercase and lowercase letters, some require a number and a special character, while others just want a number.
Then there are the systems that track the last password you used and won’t let you re-use it. Blasphemy! When you say “I forgot my password,” it allows you to reset it but forces you to change it again... adding yet another iteration of your favorite word. Yet this password is no harder to be cracked than the last word you used even with adding a number and special character like *1 after it. We may think we’re being crafty, but it’s not making things any harder for the hackers!
Why do passwords get compromised so often?
The simple answer is that businesses that are responsible for the safe-keeping of your credentials are not doing enough to adequately protect them. Once they are compromised, login credentials are sold quickly. That means that other websites and systems you use those credentials for can also become compromised. This is the reason you should not use the same password for more then one online system. That is challenge number one.
Other top difficulties include:
- Remembering complex passwords.
- Remembering many different passwords.
- Accessing saved passwords that are not always available on all of your devices.
- Deciding where to save your passwords. Web browsers? Contacts? Sticky notes? Notebooks?
The risk with the current password convention
In the past, we would all select a password plus a required number and capital letter. So if I liked summer, I might select “Summer2022.” This would clear the requirements of “complexity” rules built into most systems. But as you can see, it’s not the strongest password by far. And on the next password change mandate, there’s a good chance you might change that to “Summer2023.” That’s not any more secure in the eyes of a hacker.
Use a passphrase instead!
Password hacking systems look for dictionary words first and then append numbers to them in an automated approach that is very quick. Once all dictionary words with numbers are exhausted, the process of “brute-forcing” a password made up of multiple words (called a “passphrase”) can take a long time – even centuries!
For that reason, the process of putting more than one word together into a passphrase has been determined by the National Institute of Science & Technology (NIST) to be much more secure than the best complex password plus numbers/characters. NIST Special Publication 800-63B (June 2017 but updated through 2020) introduced this concept with other unexpected changes in guidance on digital identity.
The most surprising change in guidance was NO requirement to change passwords/passphrases unless the credentials were involved in a compromise. [Note: This author’s guidance is to still change passwords/passphrases annually in case a compromise in another system is missed. This is still much easier than changing it every 60 or 90 days.]
Why did NIST make this change? Because changing passwords every 90 days just makes it more challenging for us to remember our passwords, so we end up doing foolish things like putting our credentials on a sticky note on our desks or making them too simple
Thou shalt not share thy passphrase!
Certainly, you understand the importance of not sharing passwords or passphrases with others. It’s a big no-no for several reasons. Lack of audit trail is one. You should also not share that same passphrase between online accounts either. This is where it gets rough! How are you supposed to remember so many unique passphrases and which account they belong to?
The answer to all these challenges and requirements? The password manager!
Password managers are a unicorn in the security world. They are one of the very few systems that help improve productivity and make your life easier while also increasing cybersecurity.
Here’s how using a password manager addresses challenges:
- Remembering long passphrases – A password manager can save them so you don’t forget them and don’t get locked out.
- Using unique passphrases for each online system – A password manager can help you keep them organized and speed up the process by logging you into each site automatically.
- Sharing certain company-level login credentials with staff – A password manager can make this happen securely without divulging the actual passphrase with staff.
- Logging into various sites between phone and computer – A password manager makes this quick and seamless by working on multiple devices.
How to get started
It’s important to start protecting your accounts, pocketbook, and credit rating today. The first step is to stop using all the unsecure means of storing and remembering your passwords and installing a good password manager. You will be surprised at how fast it is to learn how to use it and how quickly it can make your life easier and more secure at the same time.
While there are many good options, the leaders in the industry include:
- Lastpass (author’s choice) – $36 per year
- Roboform – $24 per year, $48 per year for a five-user family plan
- Dashlane – $6.49 per month ($60 per year)
- 1Password – $3 per month ($36 per year, $60 per year for families)
- NordPass – $36 per year
All have free versions (not just trial versions) that limit the product functionality. These free versions are a great way to get to know the product by actually using it for a while. Once you’re ready to take the full plunge, upgrades are typically easy.
I like LastPass’s feature of having one login that gets me access to my free personal account as well as our paid business account (enterprise account) with company passwords in it, all while keeping them completely separate from each other. I also like how I can share passphrases to different groups of staff in the office.
- Make sure the password manager you select has an app that works well with your phone and other devices.
- See if the product has an enterprise version that provides more benefits in a business environment.
- Do your vendor due diligence and request their Service Organization Control (SOC) 2 Type 2 report. Ask your IT vendor to help you review it if necessary. Pay attention to the “User Entity Control Considerations.”
- Download the plugin that works with your favorite browser (e.g. Google Chrome). This will help achieve login efficiencies.
- In your browser settings, disable the “Prompt to Save Passwords.” Once you have all of your credentials in your new password manager, delete the passwords in the browser.
- Download the app for your mobile devices and configure them to use it.
- All good products will offer two-factor authentication – be sure to enable it during your initial setup.
Mark R. Torello, CPA, CITP, CRISC, CFE, CISA is the Partner-in-Charge of Whittlesey Technology, one of the region’s most sophisticated cybersecurity and technology consultancies. Since 1997, Whittlesey Technology has provided CPA firms with managed technology support, cybersecurity, and accounting system services.