Password Best Practices with Storable’s Information Security Director
Sometimes there’s only one thing standing between a cyberattacker and your sensitive data—a strong password.
Around 4 out of 5 known data breaches occurred due to a compromised password, according to LastPass. With more and more services going online, the typical business employee has to manage, on average, 191 different passwords. If you aren’t using a secure password for every single service and account, your self-storage business’ data is at risk.
That’s a lot of passwords to keep track of.
The good news is that passwords, with all of their faults, may soon become a thing of the past. Google, Apple and Microsoft recently announced a rare joint initiative to support a passwordless-account protocol, which uses passkeys sent to known user devices to verify identity.
Unfortunately, it may be a while for completely passwordless capabilities to make their way to all of the apps and websites you use regularly. To help keep you secure in the meantime, we asked Storable’s own Information Security Director Mark Baldwin to give storage operators his best advice about how to manage their ever-growing list of passwords.
What are the risks of self-storage businesses not changing passwords?
Mark Baldwin: The primary risk of not changing a password is that it will become compromised and then used by malicious actors for unauthorized access. For example, someone may watch you type in your credentials without you knowing, and then use those same credentials to login to your account. Or, if a website that you use is compromised, user credentials are exposed. Those credentials could then be sold on the dark web and used to access your account by a malicious actor. Changing your password regularly minimizes this risk.
How often should you change passwords?
How often you should change your password depends on a number of factors such as the organization’s risk tolerance, the sensitivity of the data stored by the organization and compliance requirements. Traditionally, best practice has been to change your password every 90 days. Most compliance frameworks such as the PCI DSS require changing your password at least every 90 days.
Why should you never reuse passwords for multiple sites?
Unfortunately, it has become commonplace for websites to be compromised by hackers. When this happens, they often are able to obtain the credentials of the users who are registered on the site. The attackers can then attempt to use those same credentials on other sites.
For example, let’s imagine a self-storage company uses the same username and password to access website A and website B. Then, website A is compromised by a hacker and she obtains the credentials of all the users of the site. The hacker can then attempt to use those same credentials to access user accounts on website B. This is frequently referred to as password spraying. Using different passwords on website A and website B would prevent this situation.
What is the best way enterprises can safely share passwords for accounts and services?
The best way for storage operators to safely store and share passwords is with the use of password management tools such as Lastpass, Dashlane and 1Password. These services securely store your credentials and allow organizations to share them in a safe manner. A password manager will also make it so that you only have to remember one password (the master password for the password manager), and will securely populate your password for you when you login to a web application. This makes it easy to have a unique password for every application you use.
How do you know if your password is strong enough?
Generally speaking, the longer a password is, the more secure it is. For example, a 15 character password consisting of only lower case letters is more secure than an 8 character password that has upper and lower case letters, numbers and special characters. This is why pass-phrases make excellent passwords. They are longer, but also easier to remember. There are many online tools to help you create a secure password including Secure Password Generator and Lastpass Password Generator.
Should employees use Chrome or Safari to save passwords on company computers?
Your staff should refrain from saving passwords using the web browser. If your computer were to become compromised, lost or stolen, a malicious actor could access those passwords saved by the browser. Obviously, this is an even greater risk for mobile devices such as a laptop or smartphone. Using a password manager such as Lastpass is a much more secure option for self-storage facilities to store passwords.
What is two-factor authentication? When should I use it?
Two factor authentication (aka 2FA and MFA) is an authentication protocol that requires at least 2 pieces of information to login. Frequently, this includes something you know (e.g. a password) AND something you have (e.g. a token on your smartphone), but can also include something you are (e.g. a fingerprint). 2FA significantly raises the bar for a malicious actor to gain unauthorized access to a system because a simple username and password alone does not grant access.
They would also have to obtain access to the victim’s phone, or get the victim to provide the security token from the phone. While not foolproof, it does make it much more difficult for attackers and thus should be used on any system that supports it, especially those with sensitive data.
Want to learn more with Mark about how to keep your business data secure? Check out the webinar recording below for a deeper dive on the subject