Passwords and Authentication
When you connect to any service, be it your social media, email, or company profile, you are providing your identity in the form of a username or email address and your password. The service identifies and authenticates you by comparing your username and password with what is stored on the services server. This is called authentication. When authenticated, the service allows you access to your accounts.
The strength of your authentication is mostly left to you as a user. Some services have certain restrictions such as a minimum password length, special characters, and the use of lower and uppercase letters. Let me assure you though, that although “P@5Sword1!” fits these requirements, it is not doing you any favors for your account security. Hackers are well aware of how common these types of password are and include them in scripts to attempt to force entry into your account; this is called a brute force attack. It also feeds into a myth about passwords that a strong password needs to be complex to be effective. In reality, the length of the password is more of a determination. To help illustrate, an eight-character password with lowercase, uppercase, numbers, and special characters has 576.48 trillion possible combinations. A 12-character password with only lowercase letters has 95.43 quadrillion possible combinations. This means that having a passphrase, rather than a password, is a viable solution.
If you are like most people, you are probably exhausted with constantly having to update and create new passwords. New Mexico Wing has adopted a policy suggested by the National Institute of Standards and Technology by not forcing users to arbitrarily change passwords. The reason for this is to encourage users to create a strong password that does not need replacing unless compromised. Forcing password changes driver users to use predictable passwords and patterns that are close to the old one.
There are a couple things that we as users can do to make our accounts even more secure. One item we can use is a password manager that also has a password generator. Password managers such as Bitwarden, 1Password, or Dashlane will store all your passwords in an end-to-end encrypted file that is available in the cloud. This gives you the perk of only needing to remember one password and being able to login to just about every account you have, just be sure to do your recover options. They also have a password generator that will generate random passwords using the characters and length that you specify. Since you would keep this password in the password manager, there is no need to memorize or type it out since you can auto-fill or copy and paste it. Bitwarden will also generate passphrases up to 20 words long, as well as usernames if you are out of ideas for them.
Another aspect to consider is Multi-factor Authentication (MFA). MFA uses an additional authentication measure to help prevent access. When it is setup, MFA will prevent access to your account even if someone has your username and password. MFA is probably mostly recognized by receiving text messages providing a code. This is actually only one of the possible ways that MFA works. Typically, you will also see the options for receiving a phone call, using an authenticator application on your phone, based on IP address (if on a company network), or a physical key that requires you to provide a fingerprint, such as a Yubikey or other FIDO2 hardware token.
Ultimately, we have a few suggestions that will help all of our members in both CAP and personal accounts.
Develop a long password that is easy for you to remember, preferably longer than 12 characters
Use a different password for each account that you have
Adopt a password manager to maintain all your passwords
Use a password generator to generate long and complex passwords for each service that you use
Enable MFA for every service that supports it
This does feel, at first, like a huge hassle. However, as you get used to it, it becomes easier and easier to use and you will find that it is not as invasive as you originally thought it would be.
For More Information:
Lt Col Tyler Leaf