Ten years ago, it wasn’t that hard to protect your online accounts – a simple password would do just fine for the most part (along with the knowledge that the Nigerian prince emailing you wasn’t really a Nigerian prince). In today's advanced cybercrime world, protecting your identity is a lot harder than it used to be.
You still need a password, but it should be a lot more complicated than what you may be using now. You’ve probably heard all the best practices for passwords before – some of these are enforced at the system level, so you have to follow them:
- Use a long, complex password with a mix of letters, numbers, and special characters
- Don’t use identifiable words or phrases (especially things like kids’ names and your birthdate)
- Change your password regularly
- Use a different password for every account, and don't have a pattern to them
Following these guidelines is not easy. Strong passwords are harder to remember which leads to even worse password practices like writing your password down on a sticky note stuck to your monitor or putting them in an Excel file saved on your desktop (neither are secure practices).
You are much better off using a password manager to create and store your passwords. A password manager is basically a lockbox of all of your passwords that will automatically fill them in for you on most sign-in forms (you can also copy/paste if needed).
When Passwords Aren’t Enough
Even using a password manager won’t protect your account 100% of the time. It’s still possible to become one of the 80,000 people a day who fall for a phishing attack, or for a cybercriminal to use a brute force attack (a hacker submits password attempts until they get it right) to access your account.
It’s also possible that your credentials will be stolen from a service provider. Sites experiencing data breaches and losing customer names and passwords (and sometimes, more sensitive information) barely register as news stories anymore because it happens so often. Here's just a few of the companies who admited to exposing customer's personal information in the last few months:
- British Airways
These compromises are why changing your password and using different passwords for every account are considered best practices. If someone can associate your personal account (that’s been compromised) with your work account and you’re using the same password, it’s likely that account will be compromised, too.
If you’re wondering if your accounts have been compromised, you can check at https://haveibeenpwned.com/ Please note: This only includes *known* breaches. It sometimes takes years for breaches to be made public.
When evidence of a breach is discovered, change your password and consider employing something even more secure, such as multi-factor authentication.
MFA Provides Another Layer of Password Protection
Using a strong password just isn’t enough to secure your account anymore. That’s where multi-factor authentication (MFA) comes into play. MFA protects your account even if someone has obtained your username and password, by requiring multiple forms of authentication.
This is similar to the two-step verification now used by most social networks, online retailers and free email services (like Gmail). They require you to enter a password plus a one-time code sent to your phone to complete the transaction. Having an extra hoop to jump through can be annoying, but if it keeps your information safe it's well worth the extra time.
Office 365 Business subscribers get a free version of Azure multi-factor authentication (MFA) with their subscription. More advanced options for MFA are available as part of Azure Active Directory Premium. These options can allow you to bypass the MFA prompt if you are logging in from a known device or location. Even if multi-factor authentication costs you a minimal fee, we recommend implementing MFA any and every account possible – work and personal.
Talk to your IT company about turning on MFA for your email account, computers, and anywhere else you store sensitive data (like your CRM or ERP system). These can usually be set up in a way to whitelist your office IP address so you just use your password while you're on site.
PTG Customers - we can set this up for you. Reach out to your account manager for more information about MFA.