Businesses continue to invest in rigorous cybersecurity protections and their customers take comfort in knowing that their service providers have these safeguards in place to limit the risk of unauthorized access.  But these safeguards do not matter if a renegade “user” has entered valid login information.  Every individual user needs to appreciate the vulnerability created by weaknesses in their own password processes.   Additional requirements can be implemented by a service platform to force users to follow rigorous password procedures, but many of those impact service convenience and usability.   This article will focus on what you – as the password “owner” – can do to reduce the risk of a cybersecurity breach.

The first step is recognizing the risk that a bad actor, using highly sophisticated technology, may attempt to discover your password – by automated “guessing” or by “watching” your actual login process – and then apply “successful” login information (typically a username/password combination) across a multitude of websites.

With this risk in mind, it is important that you follow a personal password process that would follow these recommendations:

  • Pick a strong password. Balance the strength of the password against the sensitivity of the information that exists on the service platform. Use a long password with a combination of numbers, letters, capitalization, and special characters.  Avoid dictionary words.
  • Change the password periodically. Again, let the sensitivity of the information help define the frequency of password changes.
  • Enter the password only on trusted devices. Only trust devices that are running robust virus detection software.   Realize that keyboard tracking viruses can log websites visited and login information entered.   Part of keeping a device “trusted” is not falling victim to phishing attacks and being cautious about opening questionable attachments, even from senders that you know.  If you need to enter login information on a device you don’t fully trust, change your password promptly when you get back to a trusted device.
  • Use caution when using a public Wi-Fi network. Only access secure service platforms (following the https protocol) and be sure you use a strong password and change it periodically.  If you do not make regular password changes, be sure and change your password promptly after using a public Wi-Fi network.
  • Don’t use the same password for every service platform. Yes, this can add complexity and reduce convenience.   Balance the complexity and inconvenience against the sensitivity of the information on the service platform.   Consider using a password manager, like Last Pass (combined with a strong password).
  • Don’t share your password with anyone. Even if you trust them to not misuse it – do you trust them to follow the other guidelines outlined here? Will their reliance on the password make you reluctant to follow these guidelines?   For example, would you be less inclined to periodically change the “shared” password?
  • Use caution when saving passwords on devices. Avoid having your most secure passwords saved/remembered by your device(s).
  • Try not to write your password down. If you feel compelled to write your password on a Post-it note attached to your computer monitor, at least apply some risk assessment as to whether the monitor is in a highly secure location with tightly controlled access and then act accordingly.

When you start using a new service platform, think through these recommendations before deciding on your approach to the password for that service platform.