Reading Time: 6 minutes

There are some simple habits you can adopt that, if performed consistently, may dramatically reduce the chances that the information on your computer will be lost or corrupted.

How can I minimize the access others have to my information?

It may be easy to identify people who could gain physical access to your devices—family members, roommates, coworkers, people nearby, and others. Identifying the people who have the capability to gain remote access to your devices is not as simple—as long as your device is connected to the internet, you are at risk for someone accessing your information. However, you can significantly reduce your risk by developing habits that make it more difficult.

  • Improve password security. 

Passwords continue to be one of the most vulnerable cyber defenses.

  • Create a strong password. 

Use a strong password that is unique for each device or account.

Longer passwords are more secure.

An option to help you create a long password is using a passphrase—four or more random words grouped together and used as a password.

To create strong passwords, the National Institute of Standards and Technology (NIST) suggests using simple, long, and memorable passwords or passphrases.

Why you need strong passwords

You probably use a number of personal identification numbers (PINs), passwords, and passphrases every day: from getting money from the ATM or using your debit card in a store, to logging in to your email or into an online retailer.

Keeping track of all of the number, letter, and word combinations may be frustrating at times, but you’ve seen enough news coverage to know that hackers represent a real threat to your information.

Often, an attack is not specifically about your account, but about using the access to your information to launch a larger attack.

One of the best ways to protect information or physical property is to ensure that only authorized people have access to it.

Verifying that those requesting access are the people they claim to be is the next step. This authentication process is more important and more difficult in the cyber world.

Passwords are the most common means of authentication, but only work if they are complex and confidential.

Many systems and services have been successfully breached because of insecure and inadequate passwords.

Once a system is compromised, it’s open to exploitation by other unwanted sources.

 

How to choose good passwords

Avoid common mistakes

Most people use passwords that are based on personal information and are easy to remember. However, that also makes it easier for an attacker to crack them.

Consider a four-digit PIN. Is yours a combination of the month, day, or year of your birthday?

Does it contain your address or phone number?

Think about how easy it is to find someone’s birthday or similar information.

What about your email password—is it a word that can be found in the dictionary?

If so, it may be susceptible to dictionary attacks, which attempt to guess passwords based on common words or phrases.

Although intentionally misspelling a word (“daytt” instead of “date”) may offer some protection against dictionary attacks, an even better method is to rely on a series of words and use memory techniques, or mnemonics, to help you remember how to decode it.

For example, instead of the password “hoops,” use “IlTpbb” for “[I] [l]ike [T]o [p]lay [b]asket[b]all.” Using both lowercase and capital letters adds another layer of obscurity.

Changing the same example used above to “Il!2pBb.” creates a password very different from any dictionary word.

Length and complexity

The National Institute of Standards and Technology (NIST) has developed specific guidelines for strong passwords.

According to NIST guidance, you should  consider using the longest password or passphrase permissible (8–64 characters) when you can.

For example, “Pattern2baseball#4mYmiemale!” would be a strong password because it has 28 characters.

It also includes the upper and lowercase letters, numbers, and special characters.

You may need to try different variations of a passphrase—some applications limit the length of passwords, some do not accept spaces or certain special characters.

Avoid common phrases, famous quotations, and song lyrics.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Dos and don’ts

Once you’ve come up with a strong, memorable password it’s tempting to reuse it ­– don’t!

Reusing a password, even a strong one, endangers your accounts just as much as using a weak password.

If attackers guess your password, they would have access to all of your accounts.

Use the following techniques to develop unique passwords for each of your accounts:

  • Do use different passwords on different systems and accounts.
  • Don’t use passwords that are based on personal information that can be easily accessed or guessed.
  • Do use the longest password or passphrase permissible by each password system
  • Don’t use words that can be found in any dictionary of any language.
  • Do develop mnemonics to remember complex passwords.
  • Do consider using a password manager program to keep track of your passwords. (See more information below.)

How to protect your passwords

Now that you’ve chosen a password that’s easy for your to remember, but difficult for others to guess, you have to make sure not to leave it someplace for people to find.

Writing it down and leaving it in your desk, next to your computer, or, worse, taped to your computer, is just making it easy for someone who has physical access to your office.

Don’t tell anyone your passwords, and watch for attackers trying to trick you through phone calls or email messages requesting that you reveal your passwords. (See Avoiding Social Engineering and Phishing Attacks for more information.)

Programs called password managers offer the option to create randomly generated passwords for all of your accounts.

You then access those strong passwords with a master password.

If you use a password manager, remember to use a strong master password.

Password problems can stem from your web browsers’ ability to save passwords and your online sessions in memory.

Depending on your web browsers’ settings, anyone with access to your computer may be able to discover all of your passwords and gain access to your information.

Always remember to log out when you are using a public computer (at the library, an Internet cafe, or even a shared computer at your office).

Avoid using public computers and public Wi-Fi to access sensitive accounts such as banking and email.

There’s no guarantee that these techniques will prevent an attacker from learning your password, but they will make it more difficult.

For more information on passwords, multi-factor authentication, and related password topics, see Supplementing Passwords.

Don’t forget security basics

  • Keep your operating system, browser, and other software up-to-date.
  • Use and maintain anti-virus software and a firewall. (See Understanding Anti-Virus Software and Understanding Firewalls.)
  • Regularly scan your computer for spyware. (Some anti-virus programs incorporate spyware detection.)
  • Use caution with email attachments and untrusted links.
  • Watch for suspicious activity on your accounts.

 

Author

Cybersecurity and Infrastructure Security Agency (CISA)

  • Choose secure networks. 

Use internet connections you trust, such as your home service or Long-Term Evolution connection through your wireless carrier.

Public networks are not very secure, which makes it easy for others to intercept your data.

If you choose to connect to open networks, consider using antivirus and firewall software on your device.

Another way you can help secure your mobile data is by using a Virtual Private Network service, which allows you to connect to the internet securely by keeping your exchanges private while you use Wi-Fi.

When setting up your home wireless network, use WPA2 encryption.

All other wireless encryption methods are outdated and more vulnerable to exploitation. In early 2018, the Wi-Fi Alliance announced WPA3 as a replacement to the longstanding WPA2 wireless encryption standard.

As WPA3-certified devices become available, users should employ the new standard. (See Securing Wireless Networks.)

  • Keep all of your personal electronic device software current. 

Manufacturers issue updates as they discover vulnerabilities in their products.

Automatic updates make this easier for many devices—including computers, phones, tablets, and other smart devices—but you may need to manually update other devices.

Only apply updates from manufacturer websites and built-in application stores—third-party sites and applications are unreliable and can result in an infected device.

When shopping for new connected devices, consider the brand’s consistency in providing regular support updates.

  • Be suspicious of unexpected emails. Phishing emails are currently one of the most prevalent risks to the average user. The goal of a phishing email is to gain information about you, steal money from you, or install malware on your device. Be suspicious of all unexpected emails. (See Avoiding Social Engineering and Phishing Attacks.)
 

Author

NCCIC

NIST Special Publication 800-63B

Digital Identity Guidelines