Passwords
As more services become available online, good password hygiene and practices are more necessary than ever. Where passwords are used, they should be strong and unique, while keeping user experience in mind, to help keep your services safe.
Strong Passwords
Passwords prevent unauthorized access. Passwords limit access to systems and information, ensuring that the right users have access to the right resources at the right time.
With single sign-on (SSO) becoming the norm, one password provides access to multiple services.
How to create and manage strong and effective passwords
Your passwords or passphrases should be easy to remember but difficult to guess. A passphrase is the same as a password but consists of a sequence of words or other text that a user can more easily memorize. A passphrase is typically longer than a password, for added security. The terms "password" and “passphrase" are often used interchangeably.
Strong passwords and passphrases should always be balanced with user experience to avoid forcing users to write down their password/passphrase or pick an overly simple one that is easy to memorize.
Do use complex passwords or passphrases. Complexity helps thwart password crackers or brute force attacks that attempt to guess your password.
- Use upper and lower-case letters, numbers and special characters
- Do not include words that can be found in the dictionary – instead, use random characters
- Avoid using proper names or popular slang – these often appear in custom attacker dictionaries
- If using a passphrase, pick a phrase that you can remember but replace some of the letters with numbers or special characters. For example, “the quick brown fox” becomes “Th3Qu!ckBrnFX#”
- Do use a unique password/passphrase for each system, device or platform
- Do not reuse passwords/passphrases for multiple accounts. If one website gets hacked and you’ve used the same password for other sites, a threat actor can use the breached password to gain access to your other accounts
- Do not update your password/passphrases according to an easy-to-detect pattern (e.g., the practice of incrementing one portion in a password in succession). If an older password/passphrase is ever compromised, using patterns will make it easier for someone malicious to guess your new one
Do make sure your security questions for password resets are difficult to answer.
Do not share your password/passphrase with friends, colleagues, or even your manager. Your organization may also have rules against this.
Do not write down your passwords/passphrases.
Do not use ‘remember password’ or ‘remember me’ functions for systems, services, or software.
Do not create security questions that rely on information easily found on social media, such as a pet’s name or your date of birth.
Multi-Factor Authentication
Multi-Factor Authentication (MFA) is authentication that uses two or more authentication factors. In other words, two or more pieces of evidence – your credentials – are required when logging into an account.
These credentials (or factors) fall into three categories:
- Something you know, like a password or PIN
- Something you have, like a token or an authenticator app on your mobile phone
- Something you are, as represented by a fingerprint or face scan
Two-factor authentication (2FA) is a form of multi-factor authentication. These terms are often used synonymously.
To be considered MFA, each authentication factor must be from a different category.
Why use Multi-Factor Authentication?
Multi-Factor Authentication is proven to help you, your office network and the enterprise stay safer.
Multi-Factor Authentication is just as helpful in your non-work life. Service providers, including banking institutions and the Canada Revenue Agency, encourage you to set up MFA.
While it is not possible to stop all cybercrime, MFA does significantly reduce your chances of being a victim. Your information is safer because hackers would need all your authentication factors in order to log in as you. As some services offer a reset ability to regain access even to MFA-protected accounts, continue to exercise caution regarding unusual activity, unexpected changes to your account or the associated credentials, or access attempts.