NordPass, a password management company, analyzed a database of around 500 million passwords that were leaked in data breaches during 2019 and compiled a list of the ones most frequently used. Comparing that list to passwords from the preceding 10 years resulted in a worrisome conclusion: Americans are not taking passwords seriously. Every year, the top 10 or 20 passwords on the list of most commonly used passwords will show the following entries: 12345, test1, qwerty, abc123, password and admin.
Security experts can preach and preach about the importance of choosing strong passwords, but it seems to be having little effect. Maybe it’s because people have heard the subject discussed so many times that it starts to sound like the “Peanuts” cartoon when Charlie Brown’s teacher is talking, but all he hears is “Wah, wah, wah, wah, wah.”
Why should this matter to credit unions? There are a couple of reasons, one being that your staff uses passwords to access multiple systems to complete their duties during the day. Another is pertinent to your members, who create their own passwords to access online banking and mobile apps. And even if their passwords of choice aren’t on the “wall of shame,” as those listed above are, many people use the same one or two passwords for many applications. If that’s the case, it’s probably no longer secure. Plus, an analysis by KnowBe4, a security awareness firm, revealed 25% of employees use the same password for all their applications – both personal and business – leaving your network vulnerable.
The passwords listed above were exposed because of a data breach. Passwords can be obtained by other methods too, such as phishing emails, dark web purchases, dictionary attacks – in which hacker software tries every word in the dictionary – and “brute force” software, which guesses every combination of characters. The last method can crack an eight-character password in less than six hours.
Especially given the increasing rates of cybercrime, data breaches and hacking schemes in the past few years, not to mention the scams triggered by the coronavirus pandemic, password management really is important.
Filtering out all the “wah, wah, wah” of password advice, here are some tips to creating a strong password:
1. Use a passphrase. When selecting a password, avoid using your kids’ or pets’ names, as well as adjacent keyboard characters. Personal information, like anniversaries or birth dates, should not be used either, since that information is widely available, especially with social media. A passphrase is more complicated than a single word with some numbers thrown on at the end. You can even pull memorable phrases from parts of a song, a stanza of a poem or your favorite movie quote. Substituting special characters, numbers or capital letters in unusual positions helps. As an example, your passphrase might start out as “YouCannotPass.” But to make it more complex, it might become “[email protected]$$!”
2. Have different passwords for the workplace and personal life. Even if a password is really strong, it should never be used in the office if it’s also used for personal applications. If a staff member opens a malicious email on their home computer that gains access to password information, you really don’t want the credit union’s network to be vulnerable because of it.
3. Require longer passwords. As noted above, the length of a password relates to the security of a password, and it can even extend the life of a password. The more characters contained in a password, the longer it takes for hackers to successfully crack the code. So, a system that requires 12-character passwords may only require that it be reset after 90 days, instead of every 30 days for shorter passwords. More recently, though, existing security frameworks and very large companies are starting to adopt the policy of 20-plus character passwords that never expire. When it comes to determining the length and life requirements of your passwords, consider your preferences and policies, as well as those of your vendors.
4. Consider the difference between 2FA and MFA. There are three factors of authentication: Knowledge, possession and inherence. Knowledge is something only the user should know, such as a password. Possession is something only the user has, such as a cell phone that can receive a one-time code for authentication purposes. Finally, inherence is a characteristic or trait that is unique only to the user. These are generally biometric factors, such as fingerprints and retina scans. Based on these factors, MFA will require at least two different forms of authentication, but these forms may or may not be from the same category of authentication. For example, MFA could be a password (knowledge) and fingerprint (inherence), or it could be a password (knowledge) and a security question (knowledge). In comparison, 2FA will also require two factors of authentication, but these forms must be from different factors. As an example, 2FA would be a password (knowledge) and a one-time code (possession). Generally speaking, 2FA is considered more secure then MFA, as it adds additional complexity to the login process by forcing the use of different authentication factors. Determine which method would be best for protecting your credit union’s sensitive information and systems.
5. Use a password manager. One reason people commit the cardinal “sin” of using the same password across multiple systems is that it’s too hard to remember so many different passwords. And to add insult to injury, we’ve all been told not to write them down anywhere. A password manager is like a digital lockbox for your various passwords. There are lots of free online options available. Using one means you only have one password to remember, the one that unlocks the password manager.
6. Require the same password criteria for internal and member-facing systems. All the advice shared above applies to password security in the branch, as well as in your members’ lives. Longer, more complex passwords with specific expiration timeframes are needed for both internal and member-facing systems. In other words, if you require your staff to create passwords of 12 characters minimum, using a combination of upper and lowercase letters, numbers and special characters that expire after 90 days, the same standards should be in place for your members. While many credit unions don’t want to aggravate members with the added complexity, it’s a matter of security. At the end of the day, password requirements are in place to safeguard their financial information in the back office and on the front lines.
Hackers are hard at work developing new ways to steal information. Since the start of the pandemic, they have been preying on consumers’ heightened anxiety and the increased disruption in everyday life. New security procedures will be developed to protect against them, but strong passwords are the first and most basic step in a strong defense. Rather than being more “wah, wah, wah” noise about password dos and don’ts, these six simple steps can give your credit union and your members headway in the fight against cybercrime.
Mike Bechtel is an information security analyst for the $6.6 billion Vizo Financial Corporate Credit Union based in Greensboro, N.C.