Following the breaking news that 65 million passwords and emails have been advertised for sale online since the major security breach at Tumblr, three years ago. Paul Trulove, VP of product management at SailPoint discusses below why we are still discussing password management today and the steps users can take to strengthen logins, when websites fail to do so.
Paul Trulove, VP of product management at SailPoint:
The truth remains, password management is still very much a critical element to an individual’s online security and one that many are still struggling to get right. In fact, many of the major security breaches that have occurred over the last couple of years – ones the have even impacted the most basic consumer – have all been related to passwords. The most obvious and simple measures are still being overlooked, or often, users are simply unaware of the potential dangers, which will only get worse as we continue to adopt applications – both cloud and web.
To avoid falling victim to password hacks, users must ensure a constant state of password hygiene, the following tips will help keep individual account protected:
Keep it long
The longer and more complex the password, the safer it will be. Ironically, writing down your long passwords on a yellow sticky note is better than using short ones. What’s more, twelve characters should be the minimum. Avoid using dictionary words unless as part of a complex passphrase, and add special and mixed case characters wherever you can.
Be unique
To make things harder for the bad guys, use unique passwords for every website as this ensures both your organisation remains untouched. Furthermore, it reduces the risk to seemingly unrelated businesses, where the same password is being used across multiple accounts. Try putting sites into mental groups (by value or name or something else) to help remember them. You can easily add something about the individual site to your ‘high entropy password’ to create something unique.
There are good commercial tools and solutions that make this overall process much easier. Solutions are available that can capture, store and replay complex passwords.”
Watch the road
Always be aware of where you are on the Internet and take specific note of anything and anybody that asks you to ‘login’ or provide any ‘secrets’ or personal information. Opt-in for multi-factor authentication where available. Sites like Google and PayPal offer these services. Look out for HTTPS-enabled websites in your browser’s address bar. If you don’t see a little lock next to the URL, be aware that its not secure.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.