With some of the recent event in the news (CRA anyone?), it appears that a refresher on password best practices is in order. First, let’s state the obvious: passwords suck; they are an ill adapted solution to a very complicated problem (asserting identity). The good news: better options exists and they are getting better everyday.
Side note for businesses, no matter how good your password policy is, users will find a way (voluntarily or not) to create weak passwords. When we perform password audits, we usually can crack (decipher) 5-10% of passwords within hours. So yes, this applies to you too. (More reading about password strength and cracking can be found here). So keep reading.
Some myth busting:
Myth #1: I use a super strong password, so I can use it everywhere: false. Password re-use is probably the biggest issue of all (or at least tied #1 with very bad passwords such as 123456). What happens: some random website gets compromised (PWN3D for the cool kids out there), the attacker gets the list of logins and password and retries them against every other web property they want to attack. So, if you have the same passwords in two places, they now have access to two of your profiles and so on.
Myth #2: You should never write down passwords: false. I am going to be a bit controversial here, but yes, in many cases, having a very strong password that is unique and that you write down in your little secret handbook is not that bad of a solution. To be clear, I am not suggesting to write your password on a post it and glue to the side of your screen in an office open space. Remember what you are protecting from: thousands (millions?) of attackers trying to get into your account from the comfort of their lair, so a handbook locked in your office drawer is pretty efficient against that. Proposed upgrade A, use an encrypted spreadsheet, you only have to remember one password and the others are protected. Proposed upgrade B, use password manager such as LastPass or Dashlane (caveat emptor, your mileage may vary) to generate a manage strong passwords on your behalf.
So what is the real solution?
The future is looking good, the “password less” world is becoming real and some good options are starting to emerge for limited applications. The best solution for today that works mostly everywhere: “Multi Factor Authentication”, which really means using multiple (at least two) ways to confirm you are YOU (more here). The two most common ones today are: “password + authenticator app” and “password + text message”. Both of these fall into “something you know”: the password and “something you have”: a smartphone. This makes it that if someone only has your password they cannot get in and if they only have your phone, they cannot get in, they need both. If you have a choice, you should use the authenticator app (like Microsoft Authenticator or Google Authenticator) over text messages, but that’s a discussion for another day.
Next steps:
Step One: Activate Multi Factor Authentication (MFA) on all your important accounts: bank, email, utilities… Then activate it everywhere else you have some personal information about you: social media, loyalty programs… If any service you use contains important information about you and does not have an MFA option, you should strongly consider deleting your profile and taking your patronage somewhere else.
Step Two: And of course, make all those passwords unique, they do not have to be completely different (ideally, they should be), but different enough that if one of your password is compromised, they will not be able to use it to gain access to another one of your accounts (although they will now be protected by MFA since you followed step one, it still better to avoid the risk of someone having one of your factors).
https://vimeo.com/471223239 This video was recorded as part of Business of Cannabis' event: Cannabis + Technology presented by CannaBusiness ERP from...
https://vimeo.com/471225214 This video was recorded as part of Business of Cannabis' event: Cannabis + Technology presented by CannaBusiness ERP from...
You need a better password
by Loïc Calvez, Co-Founder + CEO, ALCiT
With some of the recent event in the news (CRA anyone?), it appears that a refresher on password best practices is in order. First, let’s state the obvious: passwords suck; they are an ill adapted solution to a very complicated problem (asserting identity). The good news: better options exists and they are getting better everyday.
Side note for businesses, no matter how good your password policy is, users will find a way (voluntarily or not) to create weak passwords. When we perform password audits, we usually can crack (decipher) 5-10% of passwords within hours. So yes, this applies to you too. (More reading about password strength and cracking can be found here). So keep reading.
Some myth busting:
Myth #1: I use a super strong password, so I can use it everywhere: false. Password re-use is probably the biggest issue of all (or at least tied #1 with very bad passwords such as 123456). What happens: some random website gets compromised (PWN3D for the cool kids out there), the attacker gets the list of logins and password and retries them against every other web property they want to attack. So, if you have the same passwords in two places, they now have access to two of your profiles and so on.
Myth #2: You should never write down passwords: false. I am going to be a bit controversial here, but yes, in many cases, having a very strong password that is unique and that you write down in your little secret handbook is not that bad of a solution. To be clear, I am not suggesting to write your password on a post it and glue to the side of your screen in an office open space. Remember what you are protecting from: thousands (millions?) of attackers trying to get into your account from the comfort of their lair, so a handbook locked in your office drawer is pretty efficient against that. Proposed upgrade A, use an encrypted spreadsheet, you only have to remember one password and the others are protected. Proposed upgrade B, use password manager such as LastPass or Dashlane (caveat emptor, your mileage may vary) to generate a manage strong passwords on your behalf.
So what is the real solution?
The future is looking good, the “password less” world is becoming real and some good options are starting to emerge for limited applications. The best solution for today that works mostly everywhere: “Multi Factor Authentication”, which really means using multiple (at least two) ways to confirm you are YOU (more here). The two most common ones today are: “password + authenticator app” and “password + text message”. Both of these fall into “something you know”: the password and “something you have”: a smartphone. This makes it that if someone only has your password they cannot get in and if they only have your phone, they cannot get in, they need both. If you have a choice, you should use the authenticator app (like Microsoft Authenticator or Google Authenticator) over text messages, but that’s a discussion for another day.
Next steps:
Step One: Activate Multi Factor Authentication (MFA) on all your important accounts: bank, email, utilities… Then activate it everywhere else you have some personal information about you: social media, loyalty programs… If any service you use contains important information about you and does not have an MFA option, you should strongly consider deleting your profile and taking your patronage somewhere else.
Step Two: And of course, make all those passwords unique, they do not have to be completely different (ideally, they should be), but different enough that if one of your password is compromised, they will not be able to use it to gain access to another one of your accounts (although they will now be protected by MFA since you followed step one, it still better to avoid the risk of someone having one of your factors).
Thanks for your time and stay Cybersecure!
Learn more about ALCiT.
Expanding into US CBD market and an impactful joint venture in Canada
Next Post‘Big Pharma’ And ‘Black Market’ Fears In Wake Of Europe’s ‘Narcotic’ CBD Call
BofC
Related Posts
Related Posts
Curaleaf Completes $16m Acquisition of Northern Green Canada
Curaleaf has finalised its $16m acquisition of Canadian cannabis producer Northern Green Canada (NGC), helping the company secure its foothold...
This Is The ‘Last 4/20 That Cannabis Will Be Schedule I’ Drug Says Blumenauer, As He Pushes Its Election Importance
US Rep. Earl Blumenauer, founding co-chair of the Congressional Cannabis Caucus, said he believes Saturday was the ‘last 4/20 celebration...
New York’s Illicit Cannabis Market Could Finally Be Brought Down As Sweeping New Powers Introduced
Cannabis Criminalization ‘Does Little To Curtail Use’ New Poll Finds
Kentuckians Will Have Access To Medical Cannabis This Year
US Hemp Production Saw Near 20% Increase In 2023
CONNECT
Related Posts
Related Posts
Curaleaf Completes $16m Acquisition of Northern Green Canada
Curaleaf has finalised its $16m acquisition of Canadian cannabis producer Northern Green Canada (NGC), helping the company secure its foothold...
This Is The ‘Last 4/20 That Cannabis Will Be Schedule I’ Drug Says Blumenauer, As He Pushes Its Election Importance
US Rep. Earl Blumenauer, founding co-chair of the Congressional Cannabis Caucus, said he believes Saturday was the ‘last 4/20 celebration...
New York’s Illicit Cannabis Market Could Finally Be Brought Down As Sweeping New Powers Introduced
New York’s Governor Kathy Hochul has announced a new plan to ‘finally put an end to the chaos’ of unlicensed...
Cannabis Criminalization ‘Does Little To Curtail Use’ New Poll Finds
Cannabis criminalization ‘does little to curtail use’ according to a new study, which found only a 1.1% difference in regular...
Kentuckians Will Have Access To Medical Cannabis This Year
Kentucky citizens could now have access to medical cannabis this year as the state’s Governor Andy Beshear announced plans to...
Recent Posts
Related Posts
Retail therapy: Safety, education at stores need upgrades
For some retailers in regulated markets, it’s high time to improve the safety and education of staff after experiencing issues...
Understanding security requirements in cannabis
On this episode of BofC Live, we connect with Denis Adigamov, a Senior Consultant at CannDelta Inc. CannDelta is the...
Critical steps to protect your IT and data
https://vimeo.com/471223239 This video was recorded as part of Business of Cannabis' event: Cannabis + Technology presented by CannaBusiness ERP from...
Unpacking data privacy and protection in the cannabis sector
https://vimeo.com/471225214 This video was recorded as part of Business of Cannabis' event: Cannabis + Technology presented by CannaBusiness ERP from...
Why you need a better password
BofC Live is the daily news and interview program of Business of Cannabis. Business of Cannabis highlights the companies, brands,...
Subscribe to our mailing list to receives daily updates!
We won’t spam you
Categories
Browse by Tags