How to Manage Password Security for Associations
The relationship between password complexity and the ability to remember said password is directly proportional. Association cybersecurity hinges on requiring complex passwords. And while it might be easy to remember something like This.Password.Is(More)Secure every time you need to log in, with so many different logins to remember, it can all get overwhelming.
What are your members supposed to do?
- Create a spreadsheet of usernames and passwords and store it on their hard drives? Not so secure.
- Write down each password on a scrap of paper and keep it with them? Slightly more secure, but not so convenient.
- Keep a file of passwords on their phones? Not really more secure, and what happens when they lose the device?
- Use the same password for everything? Unacceptable!
Password complexity is essential to the cybersecurity of your association or organization, but ease of use is paramount to the individual users, hence we have a chicken and egg scenario on our hands.
At Aptify, we believe there is a middle ground for security and utility—this blog will cover the risk of cybertheft, the basics of password security for associations, and using password managers to their full potential.
- Free Webinar Recording: Cybersecurity: No More Easy Targets
- Ebook: Overhauling Password Behavior at Your Association
Let’s get started!
What Is Cybertheft?
Cybertheft is the act of using an Internet connection to steal digital property or interfere with somebody’s use of digital property. Cybertheft, hacking, unlawful access, data breaches…you get the idea.
The volume and scope of cyber attacks is staggering, from the well-publicized breach of the Democratic National Party to the daily phishing attacks on small businesses nationwide. Pretty much everyone reading this post has been a victim of some level of cyber attack.
“The only secure computer is disconnected, encased in cement, and buried 20 ft underground.”
While this anonymous hacker quoted here has a flair for the dramatic, it’s closer to the truth than you may think. Password theft is one of the more common cyber attacks, and if it happens at your association it can be irreparably damaging to your members and very expensive to correct.
Requiring your members to use secure passwords isn’t a luxury, it’s something you must require for the security of the entire association. Now’s not the time to let these threats intimidate you, it’s time to increase security at your association! Consider scheduling a Cybersecurity Threat Assessment, or continue reading to find best practices for password security at associations.
Best Practices for Password Security
The first step in beefing up password security at your association is to implement password requirements that force users to create passwords with greater entropy. Entropy, specifically in regard to passwords, is a measure of how unpredictable a password is, or how difficult it is to guess. Read more about entropy here.
These practices will help reduce the efficacy of a brute force attack, which is a trial-and-error method, executed by a computer program, to try and obtain your password by guessing different combinations of letters, numbers and symbols hundreds or thousands of times per second.
Here’s how to go about raising the entropy of your passwords, and thus, their overall complexity.
Maximize character count
Increasing character count is the best way to increase password security. Every character you add in length exponentially reduces the chances of guessing the password by brute force attempt. Many organizations require eight characters, but recently, this has been proven to generate passwords that do not have high enough entropy, resulting in brute fore penetrations. More secure websites and online apps (like financial institutions) should have a higher password character count requirement, sometimes 13 or 14 characters.
Broadened character sets
The next best thing you can do to raise the entropy of your passwords after increasing character count is to expand the available character set.
By requiring a more expansive character set, you’re vastly increasing the security of the passwords that will be generated. Just by creating a mixed-case password (i.e., using both upper and lower cases), you are effectively doubling the password's entropy. Letters only offer 26 variations, numbers only 10, and special characters vary, but combined, they create a formidable password that won’t be easily cracked via brute force attack.
Tracking Your Passwords
Here’s the deal—we’ve discussed why you need to have complex passwords, and we’ve also discussed how to create them—now it’s time to talk about how to manage them.
Most people have at least 20 different login credentials for various websites. If you’re not using the same password for each (again, please don’t do that!) and creating passwords of sufficient complexity, how are you supposed to remember them all? Here’s one available option:
Install a Password Manager
A password manager is a piece of software that is capable of creating complex passwords, storing them securely, and assessing your security risk based on the passwords you create. There are many options available for Windows users, each with different pieces of functionality that may (or may not) be helpful to you. You should select the password manager application that provides functionality that best suits your needs.
Here’s how they work:
- Step 1: Install the software on your desktop or laptop. Some password managers even have mobile app sidekicks for securely storing passwords on the go. You will create one secure password that you can remember (try a four-word sentence with spaces) that you don’t use for anything else. This will unlock the vault of passwords stored in the password manager.
- Step 2: Log into a secure site. An example of a secure website is Facebook or Gmail. Depending on the password manager you select, you may be prompted to store this password. Since we are updating this password to something more secure, say “no.” Once you are logged in, update the password for this site to something more secure, and then allow your password manager to store the credential for future logins.
- Step 3: Generate secure passwords. While many password managers do come with a "generate password" feature, you have much more control of your password complexity—and security—if you generate the passwords yourself. Plus, creating them on your own gives you the chance to have some fun with it. For a full discussion of creating impenetrable passwords, check out our Playbook for Password Complexity.
- Step 4. Go back and change all your existing passwords to secure passwords! Now that you have a system for generating and storing username and passwords, you’ll never have to remember a password again. And they’ll be much more complex, which is good for your security. If you ever need to change a password, the password manager will prompt you to update the current record. It can also encrypt and store other sensitive information like bank accounts, credit cards, social security numbers, or whatever you need.
Additionally, some password managers can easily handle multiple logins for the same site, like if you have two Gmail addresses. Most can be used as an individual or as a team, but will require custom setup and assigned roles for teams.
As a rule, I don't recommend specific password managers by name. Selecting a password manager is as personal as selecting a password—various managers have different features, so you have to pick the one that works best for you. Still, there are key features that your password manager will need to have in order to keep you and your passwords as safe as possible. Here's what to look for:
- Two-factor authentication
- Seriously strong encryption
- Unrecoverable (one-way) master password
Everybody wants to avoid cyber attacks, but not everybody is proactively taking measures to combat them. We recommend watching the on-demand webinar, Cybersecurity: No More Easy Targets, to find out how to shore up security at your association or organization.
About Joshua Hiller
Since 1994, Joshua Hiller has been a professional software developer and security analyst, working as a private contractor, team member, and team leader. Specializing in automation, integration, penetration auditing and forensics, Josh has over 15 years experience working in the non-profit industry in roles such as application developer, department director, and vice president. A married father of three girls, Josh’s interests include; art, comic books, fantasy, science (and science fiction), application and network security, software development and tropical fish.