The 20th anniversary of National Cybersecurity Awareness Month is an excellent reminder that not only are cyber threats still a serious issue, but they have also grown and become more sophisticated. Thankfully, protecting ourselves online has been made easier than ever with the adoption of new technologies to authenticate our identities and growing research into how to leverage the tools available to us. As the Chief Information Security Officer (CISO) for the Department of Commerce, I work closely with the cybersecurity experts at the National Institute of Standards and Technology (NIST). These experts are at the forefront of cybersecurity research.
One consistent theme you’ll hear from NIST and other cybersecurity experts is how human psychology can be exploited by cyber criminals to compromise our accounts. However, research into how we interact online has shown us several straightforward steps we can take to minimize the risk of common behaviors proven to be insecure.
Over the last few years, we’ve seen this research help us better understand one of the first things that comes to mind when we think about online safety–passwords. Previously, the conventional wisdom was to create passwords using special characters, capitalization, numbers, letters, and a variety of arbitrary rules including forcing you to change your password multiple times per year. Research shows each of us did the same thing in response–re-used passwords or created variations of the same password because we’d been asked to memorize dozens of unique passwords for every site, log-in, or application.
Our natural instincts created a weakness in our online security and cyber criminals took advantage. Research on the use of passwords has demonstrated the inherent weakness in expecting users to memorize arbitrarily complex passwords, and the importance of using multi-factor authentication (MFA) to safeguard our private information. Importantly, our thinking has evolved around this topic, and we’ve identified the following practices to better protect ourselves:
- When you must use a password, use a longer password (15 or more characters) or even passphrases, as these provide greater protection than a shorter, arbitrarily complex password. Passphrases have the added benefit of being easy to remember.
- Employing MFA (such as a one-time code emailed to you or an authenticator app on your phone) adds a second, critical layer to protect against a compromised password. MFA should be set up anytime it is available. It just takes a couple moments and will give you peace of mind.
- Password managers, protected by one very strong, long password with MFA enabled, allow us to create unique passwords for each site without needing to memorize them all.
These security practices can be combined with others, like updating software and recognizing phishing, for a more secure online experience. I encourage you to take a few minutes to set up a password manager and enable MFA for all your important online accounts.