MSP? 3 Password Security Tips to Share with Your Clients

Often, the biggest threat to a businesses cybersecurity is their end users. The first step to ensuring your clients do not fall victim to a ransomware attack is a proper cybersecurity training program. A good place to start are some simple (but effective) password security tips. In this blog we’ll cover a few examples to share with your end users to ensure passwords are not the weak link in your cybersecurity plan.

Ryan Weeks, Chief Information Security Officer, Datto, Inc.
Author: Datto CISO Ryan Weeks

1. No One Needs Your Password, Ever

Here’s an easy way to tell if someone is trying to steal information from you, or do damage to your technology: They ask for your password. No person ever needs your password. Not your boss. Not your co-worker. Not the tech support lady on the phone or the repair guy standing over your laptop. Nobody needs your password. Any of the people who legitimately need to access your system can get in without your password. They have privileges on your system necessary to their jobs, and they can get into your account without your password. The only reason someone needs your password is to fool a computer or an online service into thinking they are really you.

“But what about those websites that say I can log in with Facebook or Google?” Those websites don’t ask for your password. They send you to a pop-up window on Google or Facebook or Twitter, and you can enter your username and password into those actual websites. Then, Google or Facebook or Twitter send an encrypted bit of code called a token that tells the website who you are, but doesn’t tell the website your password. Basically, these websites are vouching for you, so you don’t have to give your password to a stranger.

2. Use a Passphrase, Not a Password

You’re really bad at picking passwords. Don’t worry, most people are. In fact, hackers can usually guess your password because most people pick really common, really simple, really insecure passwords. Passwords like 123456 and, well, ‘password’. Short passwords that contain obvious words are easier for hackers to guess. Hackers can simply try any of the most common passwords first and, if that fails, they just use a program that tries random words or common sequences of numbers. When that fails, hackers try random series of letters and numbers.

The longer and less common your password, the harder it is for hackers to guess. Most people choose short, simple passwords because they are easy to remember. Long, complicated passwords are harder to guess, but are also harder to remember. That’s why you shouldn’t use a password; you should use a passphrase. A passphrase is a short sentence that’s easy to remember but, hopefully, is hard to guess. So, for example, instead of using your daughter’s birth date as a password, use ‘I love my baby girl 4-ever’ as a passphrase. You probably can’t remember a 16-digit random string of numbers and letters, but you can remember that you’ll always love your little girl (and that you used a funky number and punctuation combo to spell forever). And, best of all, hackers won’t be nearly as likely to guess your passphrase.

3. Use Two-Factor Authentication Wherever You Can

Even if you don’t give out your password and you use a good passphrase, it’s really only a matter of time before a hacker gets ahold of your password. Hackers steal millions upon millions of passwords every year—through no fault of the users that lose them. That’s why you need a second line of defense: two-factor authentication. Think of your password as a key that unlocks the door to your computer and your online accounts. If someone steals that key, they can unlock that door and walk into your system, stealing or wrecking anything inside. Two-factor authentication is like installing a deadbolt lock above the lock already in your computer’s door—a deadbolt that uses a different key from the door itself. Thus, if a hacker wants to get inside your computer, they would need to steal two different keys.

Where the analogy breaks down is that two-factor authentication isn’t about using two different passwords. Two-factor authentication uses a password and then some other piece of information stored separately from your password. For example, many modern laptops include fingerprint readers, which require you to enter a password and scan your forefinger or thumb to access the system. Services like Gmail or Twitter can send special codes to your smartphone—either by voice call, text message or through an app—which you must combine with your password to log in. With two-factor authentication, a hacker has to do more than steal a list of passwords from a server somewhere to hack into your computer. Hackers would need to steal your password and physically steal your smartphone (or your thumb) to get into your computer, and that is far, far less likely.

Communicating the value of computer security best practices to your end users isn’t always easy. To help end users better understand the value of safety over convenience, we’ve put together a guide packed with information on password and email best practices, as well as web and network security do’s and don'ts. To learn more, check out the Essential Cybersecurity Toolkit for SMBs, today.

Ryan Weeks is chief information security officer at Datto Inc. Read more Datto blogs here.