With some of the recent event in the news (CRA anyone?), it appears that a refresher on password best practices is in order. First, let’s state the obvious: passwords suck; they are an ill adapted solution to a very complicated problem (asserting identity). The good news: better options exists and they are getting better everyday.
Side note for businesses, no matter how good your password policy is, users will find a way (voluntarily or not) to create weak passwords. When we perform password audits, we usually can crack (decipher) 5-10% of passwords within hours. So yes, this applies to you too. (More reading about password strength and cracking can be found here). So keep reading.
Some myth busting:
Myth #1: I use a super strong password, so I can use it everywhere: false. Password re-use is probably the biggest issue of all (or at least tied #1 with very bad passwords such as 123456). What happens: some random website gets compromised (PWN3D for the cool kids out there), the attacker gets the list of logins and password and retries them against every other web property they want to attack. So, if you have the same passwords in two places, they now have access to two of your profiles and so on.
Myth #2: You should never write down passwords: false. I am going to be a bit controversial here, but yes, in many cases, having a very strong password that is unique and that you write down in your little secret handbook is not that bad of a solution. To be clear, I am not suggesting to write your password on a post it and glue to the side of your screen in an office open space. Remember what you are protecting from: thousands (millions?) of attackers trying to get into your account from the comfort of their lair, so a handbook locked in your office drawer is pretty efficient against that. Proposed upgrade A, use an encrypted spreadsheet, you only have to remember one password and the others are protected. Proposed upgrade B, use password manager such as LastPass or Dashlane (caveat emptor, your mileage may vary) to generate a manage strong passwords on your behalf.
So what is the real solution?
The future is looking good, the “password less” world is becoming real and some good options are starting to emerge for limited applications. The best solution for today that works mostly everywhere: “Multi Factor Authentication”, which really means using multiple (at least two) ways to confirm you are YOU (more here). The two most common ones today are: “password + authenticator app” and “password + text message”. Both of these fall into “something you know”: the password and “something you have”: a smartphone. This makes it that if someone only has your password they cannot get in and if they only have your phone, they cannot get in, they need both. If you have a choice, you should use the authenticator app (like Microsoft Authenticator or Google Authenticator) over text messages, but that’s a discussion for another day.
Next steps:
Step One: Activate Multi Factor Authentication (MFA) on all your important accounts: bank, email, utilities… Then activate it everywhere else you have some personal information about you: social media, loyalty programs… If any service you use contains important information about you and does not have an MFA option, you should strongly consider deleting your profile and taking your patronage somewhere else.
Step Two: And of course, make all those passwords unique, they do not have to be completely different (ideally, they should be), but different enough that if one of your password is compromised, they will not be able to use it to gain access to another one of your accounts (although they will now be protected by MFA since you followed step one, it still better to avoid the risk of someone having one of your factors).
🔒 Risk Management Report • Produced in partnership with RELM
📊 New ReportAvailable Now
Relm Risk Briefing: Cannabis 2026
The global cannabis sector has moved from experiment to enterprise. This comprehensive risk briefing examines how regulation, insurance, and operational practices intersect across the international supply chain, drawing on insights from RELM—the only insurer entirely dedicated to the cannabis industry.
After two years of speculation, rumours, stock swings, broken promises, and political theatre, President Donald Trump officially signed an executive...
After two years of speculation, rumours, stock swings, broken promises, and political theatre, President Donald Trump officially signed an executive...
Cannabis Rescheduling fervour has once again reached dramatic levels following media reports that President Donald Trump is considering pushing through...
By: Dr. Sebastián Marincolo, Director of Strategic Content & Editorial, Weed.de Germany's partial cannabis legalisation was originally designed to undercut...
https://vimeo.com/471223239 This video was recorded as part of Business of Cannabis' event: Cannabis + Technology presented by CannaBusiness ERP from...
https://vimeo.com/471225214 This video was recorded as part of Business of Cannabis' event: Cannabis + Technology presented by CannaBusiness ERP from...
You need a better password
by Loïc Calvez, Co-Founder + CEO, ALCiT
With some of the recent event in the news (CRA anyone?), it appears that a refresher on password best practices is in order. First, let’s state the obvious: passwords suck; they are an ill adapted solution to a very complicated problem (asserting identity). The good news: better options exists and they are getting better everyday.
Side note for businesses, no matter how good your password policy is, users will find a way (voluntarily or not) to create weak passwords. When we perform password audits, we usually can crack (decipher) 5-10% of passwords within hours. So yes, this applies to you too. (More reading about password strength and cracking can be found here). So keep reading.
Some myth busting:
Myth #1: I use a super strong password, so I can use it everywhere: false. Password re-use is probably the biggest issue of all (or at least tied #1 with very bad passwords such as 123456). What happens: some random website gets compromised (PWN3D for the cool kids out there), the attacker gets the list of logins and password and retries them against every other web property they want to attack. So, if you have the same passwords in two places, they now have access to two of your profiles and so on.
Myth #2: You should never write down passwords: false. I am going to be a bit controversial here, but yes, in many cases, having a very strong password that is unique and that you write down in your little secret handbook is not that bad of a solution. To be clear, I am not suggesting to write your password on a post it and glue to the side of your screen in an office open space. Remember what you are protecting from: thousands (millions?) of attackers trying to get into your account from the comfort of their lair, so a handbook locked in your office drawer is pretty efficient against that. Proposed upgrade A, use an encrypted spreadsheet, you only have to remember one password and the others are protected. Proposed upgrade B, use password manager such as LastPass or Dashlane (caveat emptor, your mileage may vary) to generate a manage strong passwords on your behalf.
So what is the real solution?
The future is looking good, the “password less” world is becoming real and some good options are starting to emerge for limited applications. The best solution for today that works mostly everywhere: “Multi Factor Authentication”, which really means using multiple (at least two) ways to confirm you are YOU (more here). The two most common ones today are: “password + authenticator app” and “password + text message”. Both of these fall into “something you know”: the password and “something you have”: a smartphone. This makes it that if someone only has your password they cannot get in and if they only have your phone, they cannot get in, they need both. If you have a choice, you should use the authenticator app (like Microsoft Authenticator or Google Authenticator) over text messages, but that’s a discussion for another day.
Next steps:
Step One: Activate Multi Factor Authentication (MFA) on all your important accounts: bank, email, utilities… Then activate it everywhere else you have some personal information about you: social media, loyalty programs… If any service you use contains important information about you and does not have an MFA option, you should strongly consider deleting your profile and taking your patronage somewhere else.
Step Two: And of course, make all those passwords unique, they do not have to be completely different (ideally, they should be), but different enough that if one of your password is compromised, they will not be able to use it to gain access to another one of your accounts (although they will now be protected by MFA since you followed step one, it still better to avoid the risk of someone having one of your factors).
Thanks for your time and stay Cybersecure!
Learn more about ALCiT.
Relm Risk Briefing: Cannabis 2026
The global cannabis sector has moved from experiment to enterprise. This comprehensive risk briefing examines how regulation, insurance, and operational practices intersect across the international supply chain, drawing on insights from RELM—the only insurer entirely dedicated to the cannabis industry.
What's covered
Key insights
Download Relm Risk Briefing: Cannabis 2026
Get your free copy of the comprehensive risk analysis report.
Expanding into US CBD market and an impactful joint venture in Canada
Next Post‘Big Pharma’ And ‘Black Market’ Fears In Wake Of Europe’s ‘Narcotic’ CBD Call
BofC
Related Posts
Related Posts
Industry Leaders React to Historic Cannabis Rescheduling
President Donald Trump's executive order directing federal agencies to move cannabis from Schedule I to Schedule III of the Controlled...
Cannabis Rescheduling is Here: Trump Signs Executive Order to Move Cannabis to Schedule III
After two years of speculation, rumours, stock swings, broken promises, and political theatre, President Donald Trump officially signed an executive...
Could Trump Actually Reschedule Cannabis This Time?
What’s in Store for the Global Cannabis Industry in 2026?
Germany’s Hidden Stigma Crisis: Why Pillar 2 is Still Sorely Needed
Business of Cannabis: New York 2025 – Key Takeaways
Cannabis Europa Paris
Europe’s leading cannabis policy, business and investment conference — bringing senior decision-makers together in Paris.
CONNECT
Related Posts
Related Posts
Industry Leaders React to Historic Cannabis Rescheduling
President Donald Trump's executive order directing federal agencies to move cannabis from Schedule I to Schedule III of the Controlled...
Cannabis Rescheduling is Here: Trump Signs Executive Order to Move Cannabis to Schedule III
After two years of speculation, rumours, stock swings, broken promises, and political theatre, President Donald Trump officially signed an executive...
Could Trump Actually Reschedule Cannabis This Time?
Cannabis Rescheduling fervour has once again reached dramatic levels following media reports that President Donald Trump is considering pushing through...
What’s in Store for the Global Cannabis Industry in 2026?
After a broadly optimistic and reform-driven 2024, this year saw momentum beging to shift once again for the global cannabis...
Germany’s Hidden Stigma Crisis: Why Pillar 2 is Still Sorely Needed
By: Dr. Sebastián Marincolo, Director of Strategic Content & Editorial, Weed.de Germany's partial cannabis legalisation was originally designed to undercut...
Recent Posts
Related Posts
Retail therapy: Safety, education at stores need upgrades
For some retailers in regulated markets, it’s high time to improve the safety and education of staff after experiencing issues...
Understanding security requirements in cannabis
On this episode of BofC Live, we connect with Denis Adigamov, a Senior Consultant at CannDelta Inc. CannDelta is the...
Critical steps to protect your IT and data
https://vimeo.com/471223239 This video was recorded as part of Business of Cannabis' event: Cannabis + Technology presented by CannaBusiness ERP from...
Unpacking data privacy and protection in the cannabis sector
https://vimeo.com/471225214 This video was recorded as part of Business of Cannabis' event: Cannabis + Technology presented by CannaBusiness ERP from...
Why you need a better password
BofC Live is the daily news and interview program of Business of Cannabis. Business of Cannabis highlights the companies, brands,...
Subscribe to our mailing list to receives daily updates!
We won’t spam you
Categories
Browse by Tags