Every year around this time I have to fill out my company's cyber insurance application, and every year I get asked if we encourage strong passwords and change them frequently. This question really bugs me, because we really shouldn't be changing passwords often. Rather, we must choose authentication processes that are appropriately matched to the risks of the site; using a password should be the last thing you want to trust.
First, think about the information and data that a website stores about you. The sites we want to offer the most protection often have the weakest. When you can, always add two-factor authentication to access a site. (Not all multifactor authentication is equal, but some form of multifactor is better than none. If you encourage attackers to go elsewhere, you've done your job.
Banks and financial organizations are often slow to roll out authentication software, so you have to settle for a username, password, and then a two-factor authentication tool, usually a text message sent to your smartphone. Although smartphone SIM chips can be cloned (so attackers can spoof your phone and intercept text messages), the vast majority of us are still better off with this process. Relying solely on a username and password to access the bank puts your account at risk.
To be fair, not all passwords are created equal. If you have reused a password on another website or for another bank account, you are at greater risk. Attackers often steal or purchase a repository of cracked passwords, or password hashes, and then attempt to reuse them to gain access to other sites. If you have already received a password reset notification, and have not attempted to log in to the account, an attacker is likely attempting a password stuffing attack on the site. So don't reuse the same password anywhere.
For years, online users have been asked to change their usernames to see if a site was selling their information elsewhere. Now I see the same kind of recommendation for choosing passwords or passphrases. There's a really funny video online that describes the process people use to choose passwords. You started by choosing a password, then you use it everywhere. Then when a site says that one is not good enough, it adds another letter. So you need a special character (like the exclamation mark). The truth is that our brains can only store so much information, so we tend to reuse the same password, or a variation of it, on multiple sites.
Microsoft often recommends the use of PIN codes instead of passwords. He argues that a PIN is device-specific, so if an attacker steals your PIN, he must also steal the device. There is a problem with this argument. I have several devices that require a PIN, and I have to admit that I use the same PIN on all of them because I don't remember PINs any better than passwords. According to Microsoft, the benefit of a PIN is that "when the PIN is created, it establishes a trust relationship with the identity provider and creates an asymmetric key pair that is used for authentication." The computer's Trusted Platform Module (TPM) chip stores a PIN code. (If you're wondering why you had a Windows 10 machine that asked you to use a PIN instead of a password, it's because the operating system registered that it had the hardware to support the process.) If you don't need or want to have a PIN, you can delete it. Press the Windows key and the I key to open Settings. Choose accounts, then click continue. In the left pane, click Connection Options. In the right panel, select "Delete" in the PIN section.
Efforts to improve online security are increasing. Intuit recently began requiring an online password even to log in to the desktop version of QuickBooks, its accounting and bookkeeping software. Those who have a QuickBooks file that contains sensitive information like payroll or credit cards should also sign in with an online account first. For years, desktop users only needed a username. Still, many users felt the change seemed cumbersome, especially when combined with the mandate to change passwords every 90 days. (Again, it's this idea that changing your password is better than using better passwords or using the Google Authenticator app to access your Intuit account.
Even if you're a small business, you can add two-factor authentication to your own computer access to increase security. Duo.com, for example, offers free DUO for implementation with less than 10 users. Provides a two-factor prompt to a smartphone or even Apple Watch. I use it in my office for remote access to make sure that when someone logs in from outside the office, they have to reply to a message on their phone to gain access. Its ease of use allows me to guarantee the security of remote access and avoid excessive password changes.
If you are a cyber insurance seller or agency, listen to me! Stop asking me to change my password. Instead, ask me what my favorite multifactor app is. This is the fastest way to improve security for most users.
Copyright © 2022 IDG Communications, Inc.