Here, take this quick test to find out where you currently are with respect to password security:
- you use a different and secure password for every different site, service and computer that you access
- you use 2 factor authentication on sites that support it
- you use a password manager to help store your passwords and use them securely
- you are certain that someone gaining access to an account, especially email, could cause serious financial and/or identity damage
- you never walk away from a computer at the office or in public without locking it first
- you use unique passwords for each of your email accounts (BU and otherwise…Gmail, Hotmail, etc) and never use those passwords for any other account or service
- you reuse some passwords on what you consider to be “lower importance” sites
- you aren’t certain that you have enough digital flotsam and jetsam to cause serious damage if someone gained access to an account, but you keep hearing computer security people talking about it so you have taken some steps to protect yourself
- you don’t maintain a separation between passwords used for email accounts and passwords used for other sites and services
- you commonly use the same password across many sites
- you don’t believe that someone could cause significant damage in your life if they were to gain access to your personal and/or work email account
So, how did you do? I suspect that you fit either in the NOT-SO-GOOD section, or somewhere between that and the GOOD section. Most people do.
So, how to improve?
Well, here are some best practices for password and account security:
- Always use a unique password for each email account that you have and never reuse that password on any other site. Email accounts are “special”. They are provided to virtually every site when you sign up for an account, and depending on how that site is developed, the owner (or any person who hacks the site) might be able to see the password you have used. If you used the same password for that site, and your email, then the site owner (or nefarious hacker) now has access to your email.
- Understand that someone else gaining access to your email should always be treated as devastating. With that access they can now request password resets on all of your other accounts. “But they don’t know my other accounts,” you say. It doesn’t matter. Automated programs can now request password resets (“forgot your password?”) on thousands of sites in minutes, including many common accounts which store credit cards or allow financial transactions. This is all in addition to the reputation damage that can be caused by someone impersonating you with friends, family, and coworkers.
- Avoid using your Bishop’s email address for things not associated with your Bishop’s work, teaching or research. Business email addresses are “owned” by the business and as such addresses ending in @ubishops.ca are monitored for their appearance on hacking sites to ensure that we can close accounts if they are compromised. This can lead to unfortunate or potentially embarrassing (remember Ashley Madison?) knowledge about what a person’s account has been used for.
- Never walk away from a computer that is not in your home without locking it first. Your computer, when logged in and with stored passwords in the web browsers and many open windows, is a portal to your online self. If you walk away from your computer without locking it, you are opening yourself to the “I can’t believe it happened to me” experience that could be as innocuous as someone updating your Facebook status with some embarrassing comment, or could be as damaging as someone sending an inappropriate email to a supervisor. Why bother even having a password if you are not going to require it to get access to your computer?
- The key factor in determining the strength of a password is the length. We utilize a set of password rules at Bishop’s which requires passwords to have at least 3 of the following constraints: uppercase characters, lowercase characters, numbers, and symbols. But, while you have to observe those rules, a 16 character password like Xy1ophonesarefun is far more secure than a 7 character password like X34!u6B. Without going into a detailed explanation of why, it would take a computer approximately 7 minutes to crack the 7 character password, and 38 billion years to crack the 16 character one. Test how secure your password is here.
- Learn about two factor authentication. Two factor authentication is based on the notion that gaining access to something should require more that just something you know. It should also require something you have. We use two factor authentication every time we go to a bank machine to take out money (something we have: bank card, something we know: PIN). With accounts at popular services like Gmail, Facebook and Twitter, two factor authentication is based on what you know (your password) and what you have (your cell phone) so when trying to log in on a computer that you don’t normally use, you will enter your password and then the site will text you a code that you will enter as the 2nd factor. You can learn more about two factor authentication here.
- Consider using a password manager. Password managers are gaining in popularity for all of the reasons that I have mentioned in this post. We all should have a lot of passwords, one for every site and service we use. Of course, this is untenable for our brains and leads us to do insecure things like writing down passwords, or using very simple ones. Password manager software helps by provided an encrypted storage mechanism for those passwords and assists us with filling in the passwords on sites. Without advocating for this particular package, 1Password, which is the software I use, only requires me to remember, well, 1 password. When I get to a website that I need to log in to, I enter the “1 password” that it know, and it goes and fills in the specific password for that site. You can learn more about password managers here.