You probably heard on Thursday the news that a bug on Twitter potentially exposed the passwords for all 330M users. The press release from Twitter said
that the company hasn't found any indications of a breach or misuse but it is recommending that all users update their passwords as a precaution. It made me stop for a minute: When was the last time I updated my Twitter password. Hmmmm, I couldn't remember.
Immediately we did two things - first we jumped on Twitter to update the password for our corporate account; then, we sent out a note to our team to do the same with their personal accounts.
All of this got us thinking that it might be helpful to send out some password best practice reminders! With password spray attacks and hackers trying to gain access to corporate data an everyday occurrence across the globe, it is important to make sure that every one of your users is part of the defense and not part of the problem!
In fact, did you know that Microsoft sees over 10 million username/password pair attacks ever day?
Crazy right? If you want to read Microsoft's recommendations in depth, they have published a paper that you can download using the button below, but read on for a quick summary of their recommendations. Note: the guidance in the paper is scoped to users of Microsoft's identity platforms (Azure Active Directory, Active Directory and Microsoft account) though it generalizes their guidance to other platforms.
Advice to End-Users:
1. Create a unique passwords for your accounts. If someone gains access to one account you don't want that to be a free-for-all to then gain access to all of your other accounts! (What if someone did get your twitter password and it was the same as your bank account?) When creating a strong and unique password, don't use common passwords (123456, Pass@word1, Spring2018 etc), don't use single words or commonly used phases (princess, iloveyou), and even make it hard to guess by those that know a lot about you (names and birthdays of friends and family, favorite bands, pets).
2. Keep your security info up to date. If you forget your password, making sure that your alternate email and phone number are up to date will be important to helping identify that it is really you who is trying to reset your password.
3. Watch for suspicious activity. Keep an eye on your latest sign-ins and changes to your account, if you see something weird, click "this wasn't me" or report it to IT.
4. Turn on two-step verification. This is a really simple way to mega-boost your security and make it more difficult for hackers to sign in even if they have figured out your password!
5. Keep everything up to date. This includes your operating system, your browser and all of your other software.
6. Beware of suspicious email and websites. If you don't know the send, or there are attachments you don't recognize, it is best to note open it. This goes for downloading things from the internet if you don't know it is a trusted source.
7. Install an antivirus program on your computer. If you have Windows 10 - good news you already have this built in! Once you have an antivirus, set it regularly to get updates and scan your computer.
Advice to IT Administrators:
Note: Azure Active Directory and Active Directory allow you to support these recommendations:
- Maintain an 8-character minimum length requirement (and longer is not necessarily better).
- Eliminate character-composition requirements.
- Eliminate mandatory periodic password resets for user accounts.
- Ban common passwords, to keep the most vulnerable passwords out of your system.
- Educate your users not to re-use their password for non-work-related purposes.
- Enforce registration for multi-factor authentication.
- Enable risk based multi-factor authentication challenges.
If you have any questions about other security best practices or would like an assessment on the current state of your organizations security, give us a call.