Securing your Personal Data: Password Security for People Like You and Me

Passwords are intended to be memorized secrets in form of passcode, secrets, tokens, pins, codes that allow users to gain access to a system. Password management is one of the most challenging areas of access control and it is estimated that companies invest more than USD$400[1].- per employee annually due to lack of productivity created by password issues.

Although considered a technical control, passwords are highly dependent on the user behavior. Granted, a password must be created, remembered, designed with a specific complexity and length, and changed every 60 or 90 days. Most of the time all these tasks are delegated to the user. The use of biometric, Single Sign on, and Privilege Access management (PAM) solutions are streamlining the user experience at corporate level, however, individually each of us must deal with a copious amount of password to create, remember, and change. Browsers such as Chrome and Safari assist with password management by graciously saving our passwords, saving us time and frustration- but this is not the safest way to store them. In the same way password management (e.g. Bitwarden, 1password, Dashlane....) are a great invention, if one takes the time to set them up properly and is committed to using them as intended.

The reality is that not many people have the time and dedication to research what is the best way to secure the 102 passwords required to be connected in the digital economy. What to do? These are my two cents on the matter of password security :

1.??Assess the value of the information you are storing in your device, rank the application in terms of sensitivity/risk. For example, substantial risk for me would be, online banking, tax and health information, platforms that store your credit cards (Amazon).

2.? Design ?a password with the following characteristics for applications and systems requiring high security:

A paraphrase (not a personal name or ?common name), longer than 16 characters with upper case, lower case, numbers and special characters. Think about something you love or want to do and get inspired !

3. Choose a strong password for accessing your computer. See previous item.

4. When possible set up biometric access to your computer and phone.

5. Do not store the sensitive passwords on the browser by default. Browsers are not designed to store passwords and there are multiple controls that should be in place for the browser to keep those passwords secured.

6. Set up multi-factor authentication for those applications that if compromised by an attacker will cause you greater loss or harm. Select a device-based authentication, preferably a token over a push notification.

7. Invest in a password manager tool – weighing the risk, cost (time, money) and benefits. Investment could be as low as $40 per year.

8. Timely apply the required updates to applications and systems in your computer and other personal devices.

9. Perform a periodic review of the password stored in your browsers (if any) and take necessary actions.

10. Set alerts to be sent by email, text, or phone to notify on password changes and access to those applications/systems ranked as most sensitive.

Security is a process. Be creative and explore any other measure that could give you more peace of mind while freeing your time from the constant demands of a highly connected world.?

?2024 Belkis Herrera, MBA, CIA, CISA, CISSP

[1]?Delinea. Embracing a Passwordless Tomorrow: Unveiling the Future of Passwords. ISC2 Webinar. March 2024.?

?