Article: A Word About Passwords
by Cindy McManus
Cindy McManus is a Consulting Architect at Fulcrum Technology Solutions. McManus has been a part of the Infrastructure team since 2012.
We’ve all got them. We all hate them. Passwords. Passwords for personal accounts. Passwords for business accounts. Passwords and more passwords.
How do you keep track of them all? Some use password managers, although those have recently been found to have security flaws. Some keep them in files on their hard drive. Lose control of your laptop, be it by exploit or physical loss, and you’ve lost your passwords, too. Some don’t even try to keep up with them, using the ‘forgot password’ link to change a password when they need it.
Strengthening passwords has traditionally involved longer, more complex, more unique passwords. Don’t use the same password for multiple accounts or web sites. Do use longer passwords, with complexity, which are harder to brute force.
What’s better than just a password? Multi-factor authentication (MFA). You’ve entered your password. The website sends a verification code to your email or phone. You enter the code correctly and you’re authenticated. No problem until your email account is breached or your phone is lost.
What’s next? WebAuthn (Web Authentication). It’s an extension of the Credential Management API, which is an attempt to formalize the interaction between websites and web browsers when exchanging user credentials. WebAuthn can be used as single-factor where the user does not have to provide any additional information. For more security, the website asking for authentication can still require those username and password, making it multi-factor authentication. This can also be combined with other authentication factors, such as biometrics, TPMs (Trusted Platform Modules) or hardware tokens to improve overall security. Supported by Chrome, Firefox, and Edge, WebAuthn is here and coming to a website near you.
How do I know if my password is safe? Try out How Secure Is My Password? to test how long a single computer would take to brute force your password. Has your password been involved in a breach? Check out Have I Been Pwned? to see if your email address is listed.
Until and unless you use a password manager or only use websites that support WebAuthn, your passwords are your first line of defense. Choose them wisely, make them longer, and make them unique to each website or application.
The Fulcrum Difference
At Fulcrum Technology Solutions, we differentiate ourselves from other technology- and business-consulting firms with a unique guarantee: when you hire Fulcrum, we commit to finish the job. Whether working under a time-and-materials contract or a cost-plus arrangement, we will not leave until we’ve delivered exactly what we said we’d do. Our word defines us, and motivates us to give you the service that you deserve!