191 passwords

“Financial services firms fall victim to cybersecurity attacks 300 times more frequently than businesses in other industries,” according to a recent article by ITSP magazine.

And out of the record-setting 1,579 data breaches occurring in 2017, 8.5 percent involved the financial services sector.

Another surprising surprising stat: The average business user has 191 passwords to remember. If every one of those passwords has to follow complexity rules and users need to change them regularly according to expiration policies … Well, that’s a lot of time wasted managing passwords.

But are those rules and policies actually creating more secure systems?

Let’s explore a few password myths as well as some best practices that will clear away the fog from the road to more secure passwords.

Myth #1: Complexity rules strengthen passwords

Many applications use password strength indicators to show you how your password stacks up. Unfortunately, many of them are based on complexity rules that aren’t doing you or your account security much good.

Consider ditching rules that require passwords to contain at least:

  • Eight characters
  • One number
  • One symbol
  • One special character
  • One uppercase letter
  • One lowercase letter

That’s a lot to remember when creating a password. It’s also unnecessary.

According to Hyland security experts, password length, rather than complexity, is the key.

Passwords should follow these two simple rules:

  • Be at least 15 characters long
  • Must not contain an embedded username

According to the site howsecureismypassword.net, the password “ILikeOnBaseALot” would take about 44 million years to crack. How’s that for secure?

Myth #2: Password expiration reduces use of stolen passwords

Let’s imagine a hacker gets access to employee or customer login information at your financial institution. Will that hacker wait to use the password or do as much damage as they can immediately?

In 2017, the Federal Trade Commission created a database of 100 fake consumers and released their login information on two popular hacking websites. It took only nine minutes before crooks tried to access the information, according to the FTC. In total, there were over 1,200 attempts to access the email, payment and credit card accounts.

Many organizations force users to change their passwords every few months. But this doesn’t benefit the user or the company in the short-term, as a hacker is likely to use the login information immediately. Compounding the problem is the fact that many people use the same password across systems, giving hackers the potential to do a lot of damage very quickly.

One way to limit the damage hackers can do is to use a password manager, an application that assists users with creating highly secure passwords that are unique for every system, application and service they use. The manager also securely stores the information for each site, requiring the user to remember only the password for the management application itself.

Myth #3: Password expiration means users choose new passwords

Nope. Most users probably make it easy on themselves. After all, the human mind values efficiency. And it’s not very efficient to have to create and remember a completely new password ever couple of months.

What’s more likely is that people simply add a number to the end of their password like this: Password = DonutsRGood1.

Password expires after 60 days. New password = DonutsRGood2

Hackers are totally fooled, right? What could possibly come after DonutsRGood2?

Again, this is where a password manager comes in handy. It relieves the burden from the minds of workers who are already overloaded with the millions of pieces of information related to their work and personal lives that their brains have to keep track of every day.

Forget rules – take these 8 steps

Rules regarding complexity and password expiration don’t seem to be doing much good. Instead, the focus needs to shift to a common set of steps individuals take to protect themselves.

Hyland’s very own security expert, Josh Gatka, developed the following best practices for security.

The Authentic8:

  1. Use a password manager
  2. Ensure that your master password is strong
  3. Check haveibeenpwnd.com to see if your credentials are already available to attackers
  4. Change your password for ALL of the services that are flagged by haveibeenpwnd
  5. Turn on multi-factor authentication everywhere it is supported, especially on your email accounts
  6. Don’t use SMS-based multi-factor authentication when there are other services available, like authenticator apps or a USB security key
  7. Seek out training on how to recognize phishing emails
  8. Print out the one-time-use backup codes provided when you set up MFA, and store them where you store your birth certificates and other important documents – you’ll need these to log in if you lose your phone or USB key

In 2016, “12 percent of people left their credit unions and 28 percent left their banks,” due to activity on their accounts that was unauthorized, says ITSP magazine.

Data breaches are costly to clean up and cause financial institutions to lose customers. Using the password best practices above in combination with a secure content services approach will help your organization avoid the pain of security breaches now and in the future.

But you can still use DonutsRGood3 on your license plate!

* This blog post was originally published on CUInsight.com.

Michelle Harbinak Shapiro

Michelle Harbinak Shapiro

Michelle Shapiro brings more than 15 years of experience in the banking industry to her role as Financial Services marketing portfolio manager at Hyland. Her mission is to share best practices and evangelize the power of ECM as a tool for banks, credit unions and lenders to help automate paper-based processes and proactively manage regulations.

Leave a Reply

Your email address will not be published. Required fields are marked *