By Lesley Kennedy
Nashville—Abc123. Qwerty. 123456. Password.
If you’re using one of these as your password for, well, pretty much all your accounts, you’re not alone. A 2019 report found they’re among the most common—and most hacked—passwords in the world. But Cris Thomas says it’s time to stop.
The global strategy lead for IBM X-Force Red, who spoke during the session “The Changing Cybersecurity Landscape” Monday at NCSL’s Legislative Summit, says one of the greatest threats to cybersecurity is reusing passwords.
How to help lower your risk of a breach? “Make it longer,” Thomas says, noting that even increasing a password’s character count from seven to nine (although 15 would be so much better) makes it more difficult for hackers to gain access to your accounts and devices.
Thomas was joined by Andre Edwards, special agent for the FBI’s cyber division; Etay Maor, executive security advisor for IBM Security; and moderator Jeff Ford, who oversees cybersecurity for the Indiana General Assembly. They delved into the ways cybercriminals have become more sophisticated—from phishing, spoofing and identity theft to hacking, ransomware and DDoS attacks.
“In the ’80s and early ’90s, we thought of hackers as nerdy kids being mischievous, but today’s hackers are gangster, criminal enterprises and sometimes hacktivists,” Edwards says. “They’re very highly organized … and they’re very difficult to track down.
All spoke on the importance of passwords, and Thomas offered the current best practice guidelines on the matter from the National Institute of Standards and Technology:
- They should be easy to remember but hard to guess.
- Special characters are no longer required. “Length is more important than complexity,” Thomas says.
- Use eight to 64 characters, with passphrases preferred.
- Never set them to expire—it’s no longer recommended that you change passwords every 90 days.
- Admins should enable the copy and paste fields in password creations, making it easier for users.
Thomas also recommends using password managers to autogenerate passwords you don’t need to memorize. “The risk of reusing the same password is much greater than using a cloud-based manager,” he says. “And if you can’t be bothered to do that, write your passwords down if that’s what it takes to use unique passwords.”
And when you register or log in to a computer or a website, always think about what the attacker would do, Maor adds. “Because why would I, as an attacker, go against a firewall or a multimillion dollar system when I can go against people or processes in place that are much easier to take advantage of?”
Thomas says legislatures are definitely targets for hackers, but legislators and staff can combat attacks by being informed, critical and educated.
“Know that you’re a target and understand that emails you get may not be legitimate,” he advises. “Be critical of information that’s being sent to you. Ask questions. If you don’t know the questions to ask, find someone to tell you the questions to ask. You do have to be somewhat public, but you don’t have to expose everything about your private personal lives either. … It’s a balancing act you have to finagle.”
Edwards adds that you should do your research on people trying to contact you.
“A simple Google search will yield a lot of information,” he says. “Do the research upfront. Don’t just accept money or meetings with anyone. Have or hire someone to do that type of research so you know who you’re dealing with.”
And, Ford notes, remember that there are multiple layers of security.
“Don’t just pick one thing and say this is the silver bullet that will solve your problem,” he says. “Layer your security. … Think about all the different devices you’ve got and how people can look at you. … It’s about threat surface. Decreasing your threat surface as much as possible is one of the best things you can do.”
Lesley Kennedy is NCSL’s digital communications program director.