Passwords!

For *years* I've been saying we're doing password wrong when we require stupid rules. I guess if the Wall Street Journal is finally agreeing with me that I should count that as validation, right? More words after the video.

Stupid password rules have been one of my many pet peeves for a long time, especially when the identity I'm "protecting" with a password has zero value. To put it in one story there was a site that would allow you to customize what order the stories show up in. You couldn't post, you couldn't save a credit card number and you couldn't send an email. I tried a made-up, nonsense word that was 10 characters long and was refused because it wasn't "complex" enough. I then tried "Password321!" and *that* was accepted. Password rules are silly!

I'm *not* a security export and don't even play one on TV, but here are my thoughts on the whole idea.

• We are ALL lazy critters at heart. If you are securing something that matters have a crazy complex password that you use ONLY at that site. Visit https://www.grc.com/haystack.htm to test the complexity if your password and learn what makes a good password. If it is a site where security doesn't really matter it is OK to be lazy and do the minimum.
• Use Multi Factor Authentication when it really matters. I use Microsoft Authenticator and it works really well. Never approve a request that you didn't initiate and always make sure you are staring at the right site. You can even have more than one phone act as the MFA for the same account so you can have his-and-hers options on a shared account.
• (Optional) Get a password manager and use it. I am a fan of BitWarden. It is free for most personal use cases, open source and well designed. Making this post leaves me thinking I need to put more of my password in a manager.
• Don't use "Login with Facebook." Period. Full stop. Same for Twitter, Chick-Fil-A reported earlier this month that 71,000 accounts had been "hacked" and I'm of the opinion that what happened was 71,000 people lost control of their Facebook accounts which were then used to login to Chick-Fil-A. Just don't use the button, eh?
• Don't click on links in emails. Even when they come from people you know. If you are expecting the email and feeling lazy (or the URL is long?) you can click it but take a second and *read* the whole thing to make sure it is what you think it is.

If you are responsible for the security of your organization here are a few additional thoughts:

• Require MFA for every account *other* than your Break-Glass account. Turn off simple MFA.
• Go Passwordless. Note that you will still need passwords unless you also roll out hardware tokens, but in most cases your users will login from their MFA application which is much better.
• Prioritize length over stupid complexity rules. Tell your users you'll let them keep the same password forever if they'll pick one with at least 16 characters.
• Turn on Windows Hello for your users. It is safer and easier. That's a win-win, right?

I want to be as clear as I can be, there is no silver bullet that will make you and your organization secure. The bad actors of the world are wicked clever and their efforts to take what is your are relentless. As we learned when the details of the LastPass hack finally came out, bad actors will find the smallest exploit to get into your systems. In that case, the bad guys exploited a known flaw in a Plex Media Server in an engineers home to put a key logger on his laptop. When he later used that laptop to login to secure systems at Lastpass the bad guys had stolen the keys to the kingdom. LastPass had done all of the right things in their enterprise network, the bad guys found an entry point in the home of one of the four engineers who had access to all the goodies. The point of the story is not to keep us all up at night but rather to point out how vigilant we all need to be. The odds are good that none of us are a "high value target" with credentials to the LastPass master password vault but we still need to have our eyes open at all times and that is especially true when it comes to protecting our identities.

Good luck out there!