Password hygiene fortifies defense against cyberattacks

The Cybersecurity & Infrastructure Security Agency (CISA) has named October to be Cybersecurity Month. The CISA Cyber Summit has hosted many exciting conversations about cyber vulnerability, the possibilities of collaboration, and the importance of an actively engaged strategically trained cybersecurity team.

Throughout every track, the resounding warning cry in every seminar is the importance of good password hygiene. After decades of ransomware, viruses, and identity theft, we’re still writing articles about the importance of paying close attention to your passwords.

What follows is a practical, no-nonsense Q&A with Chris Wyospal, co-founder and chief technology officer of Burlington, Massachusetts-based Veracode, formerly of the hacker group L0pht, during which the author has a panic attack, and then takes action about her own lack of cybersecurity.

Q&A with Chris Wyospal

VentureBeat: I admit that I rotate my tires more often than I change my passwords. How do you convince people to take their passwords more seriously?

Chris Wyospal: Hackers crack a seven-character password in up to 0.29 milliseconds. That’s a startling statistic. Using one password for multiple logins sounds tempting; however, recycling passwords only leads to hackers gaining access to multiple accounts through a successful attack. When choosing a password, try using a random word sequence and make it 12 or more characters long. Using a password manager can help you use a different password for each website.

VentureBeat: Chris, a car horn can be startling. That statistic is terrifying. How can the casual user be aware of the changing security landscape in a useful way?

Wyospal: Stay up to date with the news and pay attention to cybersecurity incidents. By learning from industry experts, security publications, and software security vendors, casual users will be able to understand where cybersecurity threats lie and how to minimize their risk.

VentureBeat: Where should I go for reliable information?

Wyospal: The Cybersecurity & Infrastructure Security Agency (CISA) in the U.S. is a great place to start. The association provides tips and resources for consumers and businesses on how to stay safe and secure online, including using multifactor authentication, maintaining online privacy, and how best to protect important information stored digitally. Additionally, ensure your applications and devices are configured to check automatically for the latest software updates.

When your home office has to be office compliant

VentureBeat: With more people working from home, or remote hybrid variations, what level of security should a home office have minimally? What’s all that extra stuff going to cost, and who’s going to pay for it?

Wyospal: Let’s start with some of the biggest risks to consider when working from home and explain how they can be remediated. The first risk is VPN connectivity. While working from home, you should be connected to your company’s VPN, which encrypts your data and disguises your IP address, making its location invisible to everyone–most importantly, attackers.

Another risk with remote working is employees connecting personal computers to corporate networks. These tend not to have the same level of security as computers provided by employers and can give hackers a gateway into the corporate network.

Employees must follow corporate cybersecurity policies closely and adhere to the requirements for connecting — it’s for their own safety and that of the entire organization.

If you are using WiFi, make sure you are using WPA2 encryption with a non-guessable password. It may be tempting to load software onto your work PC but do not install non-work-related and approved applications.

No, boomer, you can’t use Abc?123! for every password

VentureBeat: Some browsers now offer a “Choose Suggested Password” option. Is this a safer option?

Wyospal: Choosing to use the suggested password is not overly safe, no. When using a browser as your pseudo password manager, you’re not using the highest level of security available for your passwords. Browsers’ top priority is for their system to run smoothly and be user-friendly when accessing different web applications, not to keep your passwords and personal information secure.

What you should do instead is use a third-party password manager, whose sole purpose is to create high-strength passwords and keep your information secure. There are a variety of both free and paid options when choosing a password manager, including many options that have a downloadable app.

VentureBeat: I think I’m having a panic attack, and I’m going to make real changes today. How do I choose the best multifactor sign-in?

Wyospal: There are three options for multifactor sign-in, a universal second factor (U2F), a time-based one-time password, and SMS messaging to a registered number.

U2F devices connect to your device, typically by USB. The service requires both your password and the presence of the U2F device. An attacker would have to steal or copy your U2F device in addition to guessing your password. While these inexpensive devices are supported by many major services, the downside is that they can be inconvenient to carry.

Time-Based One-Time Password (TOTP) systems use an application, usually on a mobile phone, to generate six-digit codes that change frequently. The service will require your password and the current TOTP code. An attacker would need to steal or duplicate the data on your mobile phone, in addition to guessing your password. There are several applications to choose from to manage your TOTP codes, and most are free of charge.

SMS systems send a text message to a registered mobile phone number, so an attacker would need to be able to read your text messages in addition to guessing your password. This is the least secure solution of the three due to weaknesses in the security of SMS, or the protocol for cellular text messages.

VentureBeat: Are passphrases a safer choice than passwords?

Wyospal: Passphrases are a much safer choice than passwords. Contrary to popular belief, having a long password is more important than having a complex password. My recommendation for developers is to ensure that their system will accept at least 64 characters for password fields.

VentureBeat: Sometimes the hardest part is simply coming up with a phrase. Can you recommend a trick to coming up with passphrases?

Wyospal: Use basic cryptography. Typing your password one row higher or lower on the keyboard or using an initialism for a longer phrase can make passwords much harder to guess. Don’t go overboard with this technique, though, or you may forget your own password. You should also avoid reusing passphrases, using patterns, and using famous quotes or lyrics. If an attacker manages to guess or recover your passphrase for one service, they will very likely try that passphrase and variations on it to log into other services; using unique phrases or cryptography for each service makes this much harder.

VentureBeat: Just how dangerous is it really if I save all my logins and passwords for every website I visit? It’s just so I can keep track of my Starbucks points, and pay my Macy’s card, and book my travel with an online aggregator who takes my credit card….oh. I see.

Wyospal: It is extremely dangerous to save all of your logins and passwords for websites directly in your browser. Many browsers don’t require authentication to access the password, so if someone gets access to your system, there’s a risk they’ll have access to all of your saved logins too.

Secondly, because many people reuse passwords, even if a hacker is able to access only one of your passwords, they’ll likely test it on many other platforms as well, creating a domino-like effect of breaches on your accounts.

The third risk is that when you have the browser fill in your login credentials upon returning to a site, it scans a database and then inputs your information. If that database is hacked, or the data is leaked, so too is your information and login credentials.