With some of the recent event in the news (CRA anyone?), it appears that a refresher on password best practices is in order. First, let’s state the obvious: passwords suck; they are an ill adapted solution to a very complicated problem (asserting identity). The good news: better options exists and they are getting better everyday.
Side note for businesses, no matter how good your password policy is, users will find a way (voluntarily or not) to create weak passwords. When we perform password audits, we usually can crack (decipher) 5-10% of passwords within hours. So yes, this applies to you too. (More reading about password strength and cracking can be found here). So keep reading.
Some myth busting:
Myth #1: I use a super strong password, so I can use it everywhere: false. Password re-use is probably the biggest issue of all (or at least tied #1 with very bad passwords such as 123456). What happens: some random website gets compromised (PWN3D for the cool kids out there), the attacker gets the list of logins and password and retries them against every other web property they want to attack. So, if you have the same passwords in two places, they now have access to two of your profiles and so on.
Myth #2: You should never write down passwords: false. I am going to be a bit controversial here, but yes, in many cases, having a very strong password that is unique and that you write down in your little secret handbook is not that bad of a solution. To be clear, I am not suggesting to write your password on a post it and glue to the side of your screen in an office open space. Remember what you are protecting from: thousands (millions?) of attackers trying to get into your account from the comfort of their lair, so a handbook locked in your office drawer is pretty efficient against that. Proposed upgrade A, use an encrypted spreadsheet, you only have to remember one password and the others are protected. Proposed upgrade B, use password manager such as LastPass or Dashlane (caveat emptor, your mileage may vary) to generate a manage strong passwords on your behalf.
So what is the real solution?
The future is looking good, the “password less” world is becoming real and some good options are starting to emerge for limited applications. The best solution for today that works mostly everywhere: “Multi Factor Authentication”, which really means using multiple (at least two) ways to confirm you are YOU (more here). The two most common ones today are: “password + authenticator app” and “password + text message”. Both of these fall into “something you know”: the password and “something you have”: a smartphone. This makes it that if someone only has your password they cannot get in and if they only have your phone, they cannot get in, they need both. If you have a choice, you should use the authenticator app (like Microsoft Authenticator or Google Authenticator) over text messages, but that’s a discussion for another day.
Next steps:
Step One: Activate Multi Factor Authentication (MFA) on all your important accounts: bank, email, utilities… Then activate it everywhere else you have some personal information about you: social media, loyalty programs… If any service you use contains important information about you and does not have an MFA option, you should strongly consider deleting your profile and taking your patronage somewhere else.
Step Two: And of course, make all those passwords unique, they do not have to be completely different (ideally, they should be), but different enough that if one of your password is compromised, they will not be able to use it to gain access to another one of your accounts (although they will now be protected by MFA since you followed step one, it still better to avoid the risk of someone having one of your factors).
https://vimeo.com/471223239 This video was recorded as part of Business of Cannabis' event: Cannabis + Technology presented by CannaBusiness ERP from...
https://vimeo.com/471225214 This video was recorded as part of Business of Cannabis' event: Cannabis + Technology presented by CannaBusiness ERP from...
You need a better password
by Loïc Calvez, Co-Founder + CEO, ALCiT
With some of the recent event in the news (CRA anyone?), it appears that a refresher on password best practices is in order. First, let’s state the obvious: passwords suck; they are an ill adapted solution to a very complicated problem (asserting identity). The good news: better options exists and they are getting better everyday.
Side note for businesses, no matter how good your password policy is, users will find a way (voluntarily or not) to create weak passwords. When we perform password audits, we usually can crack (decipher) 5-10% of passwords within hours. So yes, this applies to you too. (More reading about password strength and cracking can be found here). So keep reading.
Some myth busting:
Myth #1: I use a super strong password, so I can use it everywhere: false. Password re-use is probably the biggest issue of all (or at least tied #1 with very bad passwords such as 123456). What happens: some random website gets compromised (PWN3D for the cool kids out there), the attacker gets the list of logins and password and retries them against every other web property they want to attack. So, if you have the same passwords in two places, they now have access to two of your profiles and so on.
Myth #2: You should never write down passwords: false. I am going to be a bit controversial here, but yes, in many cases, having a very strong password that is unique and that you write down in your little secret handbook is not that bad of a solution. To be clear, I am not suggesting to write your password on a post it and glue to the side of your screen in an office open space. Remember what you are protecting from: thousands (millions?) of attackers trying to get into your account from the comfort of their lair, so a handbook locked in your office drawer is pretty efficient against that. Proposed upgrade A, use an encrypted spreadsheet, you only have to remember one password and the others are protected. Proposed upgrade B, use password manager such as LastPass or Dashlane (caveat emptor, your mileage may vary) to generate a manage strong passwords on your behalf.
So what is the real solution?
The future is looking good, the “password less” world is becoming real and some good options are starting to emerge for limited applications. The best solution for today that works mostly everywhere: “Multi Factor Authentication”, which really means using multiple (at least two) ways to confirm you are YOU (more here). The two most common ones today are: “password + authenticator app” and “password + text message”. Both of these fall into “something you know”: the password and “something you have”: a smartphone. This makes it that if someone only has your password they cannot get in and if they only have your phone, they cannot get in, they need both. If you have a choice, you should use the authenticator app (like Microsoft Authenticator or Google Authenticator) over text messages, but that’s a discussion for another day.
Next steps:
Step One: Activate Multi Factor Authentication (MFA) on all your important accounts: bank, email, utilities… Then activate it everywhere else you have some personal information about you: social media, loyalty programs… If any service you use contains important information about you and does not have an MFA option, you should strongly consider deleting your profile and taking your patronage somewhere else.
Step Two: And of course, make all those passwords unique, they do not have to be completely different (ideally, they should be), but different enough that if one of your password is compromised, they will not be able to use it to gain access to another one of your accounts (although they will now be protected by MFA since you followed step one, it still better to avoid the risk of someone having one of your factors).
Thanks for your time and stay Cybersecure!
Learn more about ALCiT.
Expanding into US CBD market and an impactful joint venture in Canada
Next Post‘Big Pharma’ And ‘Black Market’ Fears In Wake Of Europe’s ‘Narcotic’ CBD Call
BofC
Related Posts
Related Posts
US Hemp Production Saw Near 20% Increase In 2023
Hemp production in the US rose by nearly 20% last year, following a difficult 2022 for the industry, which experienced...
Hopes Of Tax Relief For Canadian Cannabis Industry Dashed As Budget Reveals No Changes
Hopes of tax relief for Canada’s cannabis industry were derailed yesterday as the country’s Federal Budget 2024 revealed excise taxes...
Cannabis Rescheduling Review ‘Now With The DOJ’ Says White House Press Secretary
Colorado Cannabis Sales Fall Again In February, As Industry Struggles To Offset Decline
Tyson 2.0 Partners With PHCANN As It Becomes Latest US Cannabis Company To Target German Market
Head Of US FDA Says ‘No Reason’ DEA Should Delay Cannabis Rescheduling
CONNECT
Related Posts
Related Posts
US Hemp Production Saw Near 20% Increase In 2023
Hemp production in the US rose by nearly 20% last year, following a difficult 2022 for the industry, which experienced...
Hopes Of Tax Relief For Canadian Cannabis Industry Dashed As Budget Reveals No Changes
Hopes of tax relief for Canada’s cannabis industry were derailed yesterday as the country’s Federal Budget 2024 revealed excise taxes...
Cannabis Rescheduling Review ‘Now With The DOJ’ Says White House Press Secretary
The White House Press Secretary, Karine Jean-Pierre, has suggested that the Department of Justice could now have the final say...
Colorado Cannabis Sales Fall Again In February, As Industry Struggles To Offset Decline
Colorado’s cannabis sales have fallen for a second consecutive month, as the state’s cannabis market continues its decline. According to...
Tyson 2.0 Partners With PHCANN As It Becomes Latest US Cannabis Company To Target German Market
Mike Tyson’s cannabis brand, Tyson 2.0, has become the latest North American company to target European expansion following Germany’s landmark...
Recent Posts
Related Posts
Retail therapy: Safety, education at stores need upgrades
For some retailers in regulated markets, it’s high time to improve the safety and education of staff after experiencing issues...
Understanding security requirements in cannabis
On this episode of BofC Live, we connect with Denis Adigamov, a Senior Consultant at CannDelta Inc. CannDelta is the...
Critical steps to protect your IT and data
https://vimeo.com/471223239 This video was recorded as part of Business of Cannabis' event: Cannabis + Technology presented by CannaBusiness ERP from...
Unpacking data privacy and protection in the cannabis sector
https://vimeo.com/471225214 This video was recorded as part of Business of Cannabis' event: Cannabis + Technology presented by CannaBusiness ERP from...
Why you need a better password
BofC Live is the daily news and interview program of Business of Cannabis. Business of Cannabis highlights the companies, brands,...
Subscribe to our mailing list to receives daily updates!
We won’t spam you
Categories
Browse by Tags