Good Password Hygiene

Earlier this year, a record setting personal data breach being hailed as the Mother of all Breaches (MOAB), exposed 26 billion individual personal records discovered by security research firm SecurityDiscovery.com.

The compromised information is known to contain data from past breaches as well as new data. The breach contains user login credentials and other sensitive information that is valuable to malicious actors.

Malicious actors will use this information to attack other accounts from compromised users. Attackers will try to use compromised passwords to see if they were reused for more high value accounts like email or banking. Attackers are also likely to send many more phishing attacks and spam emails targeting compromised people.

In order to best protect yourself, the Idaho Office of Technology Services (ITS) and the Idaho Office of Emergency Management (IOEM) recommend practicing good password hygiene. This is the most effective method to reduce the risk of your compromised user login information being exploited to access your accounts.

Password Hygiene Best Practices:

  1. Use passphrases. Passphrases are a sentence-like string of words that contains a mixture of uppercase, lowercase, and special characters that is easy to remember but hard to hack.
  2. Don’t reuse passwords or passphrases. Use a unique login for every online account you own. This prevents an attacker from gaining access to all your accounts with minimal effort.
  3. Use a password manager program. These are applications that store all your passwords in an encrypted database for easy use, can assist in generating new, unique passwords, and sync them across all your devices. A much better idea than a sticky note.
  4. Frequently change all your account passwords. Recommendation for password rotation is every 90 days. If that seems too frequent for you, try rotating passwords at least once a year on all your personal accounts.
  5. Use multi-factor authentication (MFA) whenever possible. Most users are already familiar with MFA for their bank or work accounts. This protects accounts from compromise by forcing users to provide their passcode along with a code. Typically, this is provided directly to a user’s cell phone via a one-time passcode or a phone application that pushes a request asking for approval to the device’s screen.

In addition to these best practices, ITS and IOEM encourage individuals to take part in annual cybersecurity training to be informed about the latest cybersecurity threats and to improve comprehension of how to remain safe online.