Protecting your data is more critical than ever. Not only is it good business to protect client data to retain their trust, for many industries, following proper cyber protocols is a requirement for compliance. With the increasing number of phishing attacks and data breaches, it's essential to understand the importance of strong passwords and compliance with cybersecurity standards. In fact, making sure that you and all your employees know the importance of strong passwords should be your first line of cyber defense.
Why Strong Passwords Matter
Weak or stolen passwords are a primary entry point for cyber attackers, who can exploit them to access sensitive information. Strong passwords not only protect company data and personal information but help also maintain privacy in the event of stolen or lost devices, aid in account recovery in the event of a crash, theft, or breach, and are a large component of achieving compliance with most industry standards, such as NIST, CMMC, and HIPAA. In the instance of CMMC, your business MUST comply with certain standards to be able to bid or work on lucrative government contracts.
A Forbes Advisor survey conducted in 2024 adds a significant layer of urgency to this discussion. More than 75% of respondents to the survey reported that their personal data was taken from hacked accounts, underscoring the critical need for heightened digital security measures as cybercriminals become more and more bold.
“The keys to our digital kingdom lie in the complexity of our passwords,” said EarthWeb’s Cooke. “What makes passwords easy to guess often lies in the familiarity of our choices – be it using common words, sequential numbers or easily accessible personal information. Crafting a formidable defense involves breaking away from these predictable patterns and fortifying our online realms against the ever-present threat of cyber intrusion with strong, hard-to-crack passwords.”
Think of your passwords as your keys. You certainly would not give strangers the keys to your house, so make sure you don’t give them the keys to your networks either.
A Requirement for Compliance with CMMC Standards
The Cybersecurity Maturity Model Certification (CMMC) is now fully activated and goes into full effect on December 15, 2024, making compliance crucial for companies bidding on government contracts. Compliance with these standards ensures that companies like yours can continue to work on government projects while maintaining robust cybersecurity practices.
What are the NIST recommendations for creating a strong password?
Password Length
Passwords should be at least twelve characters long. The maximum length should be 64 characters. (If you have passwords that are 64 characters long for each of your accounts, you get a prize.)
Complexity
NIST no longer requires passwords to include special characters or numbers. Instead, passwords can contain any American Standard Code for Information Interchange (ASCII) character, including spaces and emojis. (Please note that your phone and many online accounts still require all the special characters, numbers, and capital letters.)
Password Changes
NIST recommends only changing passwords if there is evidence of a compromise, or every 365 days. Frequent password changes can lead to weaker passwords.
Password Hints
NIST recommends not allowing users to request password hints or use knowledge-based authentication (KBA) questions.
Tips for Creating Strong Passwords
As you probably realized, you aren’t going to be able to follow every NIST standard on every account, especially in your personal life. We’ve all put in the perfect passphrase only to have the account tell us that we are missing a capital letter, a number, and the soul of our first-born child. So what should you do?
Use Passphrases
You can construct a really strong password by taking the initial letters of a memorable phrase and making those letters the password. For example, if you used Shakespeare’s famous quote ‘To be, or not to be: that is the question’, your password would be ‘tbontbtitq’. Mixing uppercase and lowercase letters, along with numbers and symbols, ensures an even more potent defense against hacking attempts. So, we could further increase the security of our example by changing it to ‘Tb0ntbTitQ’.
Avoid Personal Information
Refrain from using easily accessible personal information such as birthdays, names, or addresses in your passwords. Cybercriminals often exploit such details in targeted attacks when they’ve managed to steal that information from elsewhere.
Regularly Update Your Password
You should periodically change your passwords, even for accounts that don’t prompt you to do so. Regular updates can help thwart potential security breaches.
Use Only Secure Wi-Fi Connections
Ensure that you only ever connect to secure and trusted Wi-Fi networks. Avoid using public Wi-Fi for any sensitive activities or any purpose where you might have to log in to an account, as unsecured networks can expose your login credentials to potential threats.
The Most Common Type of Password Breaches
Brute Force Attack
If a password is the equivalent to using a key to open a door, a brute force attack is using a battering ram. A hacker can try 2.18 trillion password/username combinations in 22 seconds, and if your password is simple, your account could be in the crosshairs.
Phishing
A phishing attack is when a hacker poses as someone you know or some other trustworthy party, such as your bank, Google, USPS, for example, and sends you a fraudulent e-mail, hoping that you'll open it up and click on something or otherwise reveal your personal information voluntarily.
Perhaps it is an email from your bank telling you your account is in jeopardy and you need to reset your password. The best way to combat this is to be mindful of this approach, look at the email sender, and question everything. DO NOT CLICK ON ANY LINKS. If you get an e-mail that is not from somebody that you know and interact with on a regular basis at work, really look at it and pay attention. Call the person if in question and ask them about the email. In the banking example, use your mobile banking app to check on things, avoiding any links in suspicious emails.
Man-in-the-Middle Attack
Man-in-the middle (MitM) attacks are when a hacker or compromised system sits in between two uncompromised people or systems and deciphers the information they're passing to each other, including passwords. If Alice and Bob are passing notes in class, but Jeremy has to relay those notes, Jeremy has the opportunity to be the man in the middle. Similarly, in 2017, Equifax removed its apps from the App Store and Google Play store because they were passing sensitive data over insecure channels where hackers could have stolen customer information.
What Makes for a Strong Password?
Use Strong Passwords
Create passwords that are at least 12 characters long and include a mix of letters, numbers, and symbols.
Avoid Personal Information
Refrain from using easily guessable information like birthdays or names in passwords.
Regularly Update Passwords
Even though it's not always required, regularly updating passwords adds an extra layer of security.
Be Cautious with Emails
Always verify the sender before clicking on links or opening attachments in emails.
Secure Wi-Fi Connections
Avoid using open Wi-Fi networks for accessing sensitive information.
The Role of Password Managers
Let’s face it. Remembering passwords, even if they’re only 12 characters long, is difficult. And then you also need a unique password for every account? No one can memorize all of that. Password managers can securely store complex passwords, making it easier to manage multiple accounts without compromising security. You memorize one really awesome and long passphrase and then the password manager remembers the rest. ThereWasRoomOnTheD00rForJack!
However, it's essential to choose a password manager that meets compliance standards and has proper encryption. Different password managers have achieved different compliance standards. For example, NordPass is HIPAA compliant, is SOC 2 Type 2 certified and meets ISO 27001 certification standards, but is not FedRAMP certified. The password manager Keeper is HIPAA, ISO 27001and SOC 2 certified, in addition to being FedRAMP certified. For CMMC compliance, a password manager must be FIPS compliant.
As we navigate the complexities of the digital world, it's crucial to stay vigilant and proactive in our cybersecurity efforts. By following best practices, complying with standards like CMMC, and using tools like encrypted password managers, we can protect our data and maintain the trust of our clients and partners. At Dragnet, we are committed to providing defense-grade cybersecurity for all, ensuring that our clients are always one step ahead of cyber threats.
For more information on how to enhance your cybersecurity practices, feel free to reach out to our team. Together, we can build a safer digital future.
CMMC: The Cybersecurity Maturity Model Certification
