Passwords, passwords, passwords! Passwords everywhere!
It’s true that we live in a jungle of passwords. The entangled web of logins that many of us engage every day can be overwhelming. Most have heard the mantra about complex passwords and changing passwords but where does the madness end, really? How in the world are we keeping ourselves sane while keeping ourselves safe? Luckily there are some great solutions. And some great solutions to the problems that the first set of solutions introduces. Bear with me and investigate how MFA contributes to proper password hygiene!
Password complexity is the first defense for staying safe. There are various reports on how fast passwords can be cracked, but complexity is a major portion of this. For example, a mix of 7 upper and lowercase letter may take as little as 30 seconds to break, whereas a mix of 12 numbers, upper- and lowercase letters, and symbols could take as long as 34,000 years for every combination to be tried. “Great!” one might think, “problem solved!”
Partially, one would be correct. Having a complex password is a very important part of proper password hygiene. But with all of these complex passwords, there are only so many sticky notes full of passwords that are reasonable to stick around the computer…
(Quick qualifier…that was meant to be tongue-in-cheek…keeping passwords posted around a workstation is not a good idea nor is it recommended.)
As such, it is important to use a password manager. At Certified CIO, we use PassPortal. We also have had good experience with Roboform. It is much easier for many folks to maintain control of one complex password than tens or hundreds. A password manager often offers reasonably complex passwords and will save the passwords within it. Keep in mind that a password manager is only as strong as the password used to access it. (Ideally it is additionally protected by MFA…please keep reading.) And while these are all good steps for password hygiene, and with no other factors, we would be done. But, unfortunately, there are other factors and they are one of the bigger cracks in the armor.
The human element is often a weaker link than the passwords themselves. What we mean by this is that successful phishing efforts can render all the previous steps useless or at least less effective, as an end user is effectively handing over login credentials. These credentials may be immediately used for harm, but very often these join online databases of login credentials that are bought, sold, and traded in less-than-ethical places such as the Dark Web.
We offer our customers a Dark Web monitoring service, and we recommend this type of service in order to keep tabs on which credentials may be public knowledge. Without this service, one has no effective manner to know what may or may not be available on the underbelly of the internet; however, even utilizing a service such as this is not a full-proof plan.
This, effectively, is where MFA comes in. MFA generally works as an app on a mobile device. After a successful login, a user is prompted to enter a 6- or 8-digit code. This is a timed, random set of numbers. Some of the most common Authenticators are from recognizable sources such as Google and Microsoft. Our recommended MFA product, Duo from Cisco, also has an included Authenticator.
Many decision-makers are coming to realize that MFA is a good option for their business. At times, this is spurned by requirements via compliance or other sources, such as cyber-insurance. If you feel as though MFA is a fit for your business or organization (Hint: it is!) GIVE US A CALL or CLICK THAT CONTACT US BUTTON!