Welcome to the passwords module. Have you ever written your password down somewhere possibly on a sticky note so that you would remember it the next time you had to use it? Have you used the same password for multiple accounts? These are examples of common bad practices when it comes to password management. It's okay if you said yes to either of those questions. Hopefully, we can shake those bad habits after this learning module. Passwords are a critical part of our everyday lives, you need it when you log in to your computer to access your e-mail and for banking, the list goes on. With all of these accounts you manage, it can get tricky trying to remember them all. This makes it tempting to get sloppy and use the same password over and over again. It has also been made obvious to most companies that password length and complexity requirements are necessary. Because of this, you might feel the need to write your lengthy complex password down so you don't forget it. Practicing good password management should be simple, and passwords should make you feel secure. Let's start with some basics. Password length and complexity are standard requirements for most companies. These requirements weren't made to frustrate you or turn password management into a hassle, password length and complexity determines how much time it takes to crack a password. Adding just one additional character exponentially increases the amount of time it would take to successfully brute force attack a password. A brute force attack is a trial and error method used by automated software that guesses passwords by inputting thousands of common password combinations per second. According to KeeperSecurity top 25 most common passwords of 2016, almost 17 percent of users are securing their accounts with 123456. Most of the passwords on this list are sequential characters or numbers, password, and other common words and character combinations. If you are using a password on this list you are at a high risk of having your account compromised because any password cracking tool would successfully brute force attack it within seconds. Passwords containing common words or names and passwords that are less than 12 characters in length are also susceptible to brute force attacks. Let's take the example, John, using a password strength cracker tool from Psychotic the following passwords are tested to measure how long it would take for a computer to crack the password. As you add additional letters, special characters, and numbers to the original password John, it makes it more difficult for the computer to brute force attack. Let's take a look at some tips for creating a strong password. Your password should contain numbers, lower and uppercase characters, special characters, and should be a minimum length of 12 characters. When using numbers in your passwords avoid using phone numbers, social security numbers, your birthday, etc. Don't include common words such as dictionary words, people's names or personal information such as your street name, last name, hometown, etc. Replacing letters with special characters is the simple way to incorporate them into your password. You can replace S with a dollar sign or A with the @ symbol and so forth. A great way to meet minimum password length requirements is to create a passphrase, strings several words together into a phrase that only make sense to you. So, instead of making your password your son's name, John, you can try JohnIsMyTallestSon. When you put it all together you can create a passphrase like what is shown on screen. It would take 58 centuries to crack this password. As previously mentioned, it is suggested that you use passphrases when creating passwords for your accounts. Passphrases are effective because they provide randomness and are typically longer than 12 characters. An advantage of using a passphrase over a series of random numbers, letters, and special characters is that you're more likely to remember your passphrase and less likely to write it down. Another problem that surfaces when it comes to complicated passwords is making a different one for the dozens of accounts you own. Having the same password across all your accounts is a big risk. In the case that your password gets compromised all of your accounts are in jeopardy. If you have three different social media accounts, three different financial institution accounts, and two e-mail accounts, that's eight different passwords to remember. A simple way to get around this is to just slightly tweak your password and make it unique to each account. Take JOHN=myt@ll3stSON for example. Let's say you have an account with XYZ bank, your password for this bank account can be, JOHN=myt@ll3stSONXYZ. If you have a separate e-mail account for work your password can be, JOHN=myt@ll3stSONWemail. Now, let's take a moment and reflect on what we have learned. We will examine how Bob can improve his password practices. Bob thinks he's got this complex password thing figured out. He has three different bank accounts that he has made secure passwords for. They are 14 characters long and contain a combination of letters, special characters, and numbers. However, he thinks that remembering these passwords is going to be tough. He decides to write them in a journal that he takes everywhere with him. One day, while Bob is at work, he decides to log into his bank account to check his balance. Mindy is a new employee, who sits next to Bob. She notices that he's referring to his journal when he's entering his credentials online. Bob is a friendly employee and is known to be a nice guy in the office. He trusts his coworkers and doesn't think anyone would want to cause him any harm. A week goes by, and Bob realizes that hundreds of dollars have been transferred out of his account. He checks his wallet and confirms that his card hasn't been stolen. He didn't go on any sketchy websites or do any online shopping lately, so he doesn't think he's been hacked. What could have happened? When Bob was logging into his bank account at work, Mindy realized that he was referring to his password from his journal. She could see his username from her screen, so she discreetly wrote it down. When Bob ran to the bathroom later that day, she went through his journal and copied his passwords. She had access to his accounts and was able to transfer money out, without Bob ever suspecting a thing. Unlike Bob, you can avoid situations like this by following a few simple tips. Never enter passwords or pin numbers when others can observe what you're typing. Always logout of applications when you're finished. Do not walk away from your computer without logging off or locking it. If you suspect that someone knows your password, change your password immediately and inform all appropriate parties. Create a complex password you can remember. Use a password management tool. We will go into further detail about remembering your complex password and using the password management tool in this section. If you want a secure and simple way to manage all of your passwords, consider using a password management tool. Think of a password manager as a vault. You will generate unique, strong passwords for your online banking accounts, social media accounts, and any other accounts you want. You will then securely store these passwords into the vault, password managing tool. The key to your vault will be a very strong and complex master password that you must remember. When you want to log in to your accounts after you have set up your password manager, it may either automatically fill in your username and password fields for you, or you will have to login to your password managing tool and access your accounts from there. This varies depending on which tool you decide to use as there are quite a few out there. If you're guilty of reusing the same password across all your accounts, a password management tool may be the best solution for you. This way you can create different strong passwords for each account, store them using your password manager, and only must remember one password to access your accounts. Let's say it's been a long time since you've accessed one of your accounts and you happen to forget your password. People forget their passwords from time to time, so companies typically require users to set up security questions. In most cases, the user will be required to select at least three security questions from a drop-down menu. Let's take a look at some of the most common security questions. What is your mother's maiden name? What was the name of your first pet? What is the name of the street you grew up on? What is your favorite color? Who was your childhood best friend? What city were you born in? Where do you like to vacation the most? After selecting these questions, users will input their secret answers. When a user forgets his or her password, he or she will have to answer some security questions again to verify his or her identity and reset his or her password. There is a major problem with this type of password reset option. If you take a look at the common security questions, friends, family members, or coworkers can guess many of these answers. If the user is on social media, information such as mother's maiden name, first pet, and city of birth can easily be found on someone's social profile. Hackers can quickly do an Internet search, figure out this information, and gain access to someone's account by simply answering security questions. If this is the only option available for resetting your forgotten password, you can try to create a fake identity. Instead of using your real mother's maiden name, make up a name that you will remember. Rather than using the name of the city you were born in or any city you have ever lived in, use a random city. If there is an option to create your own security question, pick this option and come up with security questions that you and only you will know the answer to. Feeling like your account isn't as secure as you thought? Don't worry, because there has been an increasing trend on allowing the MFA, Multi-factor Authentication, or two-factor authentication option. You've probably seen the enable MFA option on some of the websites and applications that you use. MFA should be enabled wherever it is available, because it provides additional protection. Enabling MFA will require your username and password, as well as an authentication code, to access your account. The authentication code is sent to your specified mobile device or a specified email account. Simply entering your username and password will not give you access to your accounts, unless you provide the authentication code. Forgot your password? If you have enabled the MFA option, a code will be sent to your mobile device or email account. You will only be able to reset your password with the authentication code. This significantly decreases the likelihood that a hacker will be able to compromise your account, even if they can figure out some of the answers to your security questions. Let's have a quick review of what we learned in this presentation. Passwords have been keeping our accounts secure for decades now. However, we see all the time that companies have fallen victim to a data breach or some person got their accounts compromised due to a weak password and so on. Many people believe that passwords alone can't keep our accounts safe anymore. Some people think that the future of passwords is no passwords at all. Companies are increasing their minimum requirements for creating passwords. Companies are getting rid of security questions altogether and requiring MFA instead. Some companies are implementing biometrics in their security measures. Let's talk about fingerprint readers as an example. Most smartphones today give you the option to lock your device with your fingerprint. The popularity of fingerprint readers is increasing because stealing your fingerprint is significantly more difficult than stealing your password. This is because no two fingerprints are exactly alike, not even your own. If you're devices have fingerprint sensor capabilities, take advantage of them for an additional layer of security. In addition to fingerprints, some companies are using facial recognition as a security measure too. As the rate of that technology is increasing, there's no telling what the future of passwords will be. You have concluded this presentation. Now, it's time to apply what you have learned and help Bob setup his account.
