With October being National Cybersecurity Awareness Month, would now be a good time for your every-so-often changing of your online passwords?
Cybersecurity expert Andy Green doesn’t think so. To him, the key to keeping your passwords secure isn’t how often you change them, but how effectively you manage them.
“We have enough studies out there showing that forcing mandatory password resets every 60 or 90 days is actually counterproductive,” said Green, a lecturer of information security and assurance in Kennesaw State’s Coles College of Business.
“The real problem here for most folks is their reuse of the same password across multiple sites.”Andy Green, lecturer of information security and assurance at Kennesaw State University
One option is to follow the National Institute of Standards and Technology’s recommendation to create “memorized secrets” – long passphrases that are easy for people to remember. For example, Green – a proud University of Alabama alumnus – could use the passphrase MyBelovedRollTide as one of his logins.
He then could put different spins on that phrase for different website logins, such as adding an exclamation point at the end or replacing the letter “o” with a zero. However, Green contends, that doesn’t address the fundamental issue that “humans don’t want to remember 16 random characters for different websites.”
Green offers what he considers a better solution: utilizing a password manager, a software application that stores your login information for all the websites you use and helps you log into them automatically. The system encrypts your password database with a master password, which becomes the only one you have to remember.
The master password is unique and secure, Green said. To illustrate, two visits we made to a password manager generated the master passwords 5G#lAuxyGdCp and kQMe%#gsJm7O.
“So now, I can just remember one really strong password to protect access to my password manager, and the password manager manages the rest,” Green said. “That’s the keeper of all my secrets.”
Some of the more popular password managers include 1Password, LastPass, Dashlane, oneSafe and Password Boss. A number of password managers are free of charge, while others have a one-time or monthly fee.
Along with recommending the use of password managers for people’s personal devices, Green considers them even more beneficial for companies and other organizations in protecting their computer networks from cyberattacks.
“I don’t understand why an organization that thinks it is a target – and let’s face it, most organizations can be targets – isn’t footing the bill for an enterprise-wide license for a password manager,” Green said. “Just make it part of everybody’s routine. That, to me, is the smart play.”