Password Security & User Accounts

March 28, 2013

Blog

In last week’s blog post, I explained just three ways you can keep your organization’s data safe. There are often times, however, that an individual or organization uses an online service. In these cases, while the data is certainly yours and only you have access to it, you have no control over how the service provider secures that data (other than front-end password authentication, of course).

In this blog post, I will explain just a few of methods you should use to protect your internet user account passwords – from personal email addresses in the cloud (such as Google Apps) to your organization’s crucial financial data on bank account websites.

Do not use the same password
Imagine the following scenario: You have a user account on “Awesome Nonprofit Website Service” (ANWS), a website that provides your nonprofit organization with an awesome service that you can’t live without.

Suppose your user account on ANWS is tied to your nonprofit organization email address, you@your-nonprofit.org. Pretend with me that you use the same password for your ANWS account as you do your email address.Unbeknownst to you, in this hypothetical example, ANWS has lousy security. Their system his hacked and the attackers now have all of the passwords people used on ANWS.

Incidentally, the attackers notice that your email address is linked to your user account. Because the attackers now have your ANWS password, and know that the vast majority of internet users use the same password across multiple websites, what is the first password you think the attackers will try in order to access your email account?

Because no internet service is 100% secure, you should never use the same password across multiple user accounts.

Use strong passwords
Strong passwords are vital to your security as an internet user. However, strong passwords don’t have to be hard to remember. Length and complexity of the chosen password are more important than having just a random generated password. I am reminded of this classic XKCD cartoon:

Image Source

Length and complexity of the chosen password are more important than having just a random generated password.

Best practice that online services use to protect their users’ data is to turn each user’s password into a unique one-way “hash” – so the password, when entered, can be transformed into the hash, but not the other way around.

However, you as an individual or organization should never rely on an organization’s security practices, because many organizations use outdated hashing mechanisms, and some organizations don’t hash passwords at all.

Imagine a scenario with me that an online service your nonprofit organization uses is breached and the attackers gain access to every account’s password (which, fortunately for you, has been hashed). However, if you have chosen a weak password, that password can still be “cracked” very easily. Hacking tools are becoming more and more common, while computer speeds continue to get faster and faster. According to this article from IT World, as of middle of 2012,

  • A 6-character password with a symbols and a mixture of upper case & lowercase letters, can be cracked in less than 2 minutes.
  • A 10-character password with these same characteristics be cracked in less than 3 weeks.

You can create a strong, memorable password by using your surroundings or circumstances in your life to create a string of characters, which should be at least 15 characters with a symbol. {Edit in September, 2016: At the time this blog post was published in 2013, a 12-character password was generally the minimum I would recommend. Now, I recommend a password that is no less than 15 characters in length}

However, when choosing a password, NEVER do the following:

  • Include your name
  • Use just 1 word that is in a dictionary
  • Use all lowercase letters
  • Use a password without any symbols.

With just a little bit of creativity, you too can use easy-to-remember, but secure, passwords.

In summary, there are many things you can do to protect yourself and your organization’s online accounts. There are millions of would-be hackers on the internet, and you should never rely on your service provider to keep your information secure.

To learn more about our services, visit our home page, or read about our services.

Sign Up for Our Newsletter

Recently on Twitter:
Contact us today to discuss the best ways to turn your IT challenges into IT opportunities.
Develop CENTS