Northen California Chapter

"Think Security First": Password Best Practices

Published October 18, 2019 By Roman H. Kepczyk, CPA.CITP, PAFM
According to Verizon’s Data Breach Investigations Report, 81% of cybersecurity breaches were facilitated by compromised user credentials.  This means that the user’s password was somehow acquired and utilized by hackers to access the organizations network, making “good password practices” a priority for firm managers to highlight in the firm’s security training. According to Neal O’Farrell’s book Think Security First, easily available hacker tools can test more than six million passwords every second making traditional “hardened” passwords (eight characters, upper/lower case, number and symbol) obsolete.  So, what are the recommended solutions?  Below we outline our recommended best practices as well as some additional information from Chapter 27 of Think Security First, which is available to CPAFMA members and Right Networks clients for FREE.

Passphrases/Password Managers: Studies show that for a single password to be effective it should be at least twelve characters following the “hardened” rules mentioned above, which can be very difficult to remember (and should never be written down). One way to get to a long password that is easy to remember is to string together four random words, which would most likely be more than twelve characters and significantly harder to crack, or to utilize a passphrase which means something specific only to you.  For example, the first letters of the passphrase “I got married to Chantel in Montrose on July 4, 1989” would translate to “IgmtCiMoJ41989.”   For users that would only use a single login and password it is highly recommended they consider using passphrases or a series of random words to protect access to their accounts. 

Another key best practice is NOT re-using the same password to access more than one account, which unfortunately, studies show the majority of individual users do for their own personal account logins.  The recommended solution in this scenario is to utilize a password manager application that creates and enters an extremely long and unique password for each login so the owner only has to remember one unique password/passphrase to access it.  When queried, the most commonly listed products utilized by CPAFMA members have been LastPass, Keeper and Dashlane.

Multi-Factor Authentication: Better than using a single password/passphrase is having the firm utilize dual or multi-factor authentication (MFA).  MFA requires a secondary verification whenever someone attempts to login to an online account.  This can consist of a physical encryption key that your personnel carries and must be plugged into or within close proximity of the workstation to access it, biometric verification such as a fingerprint or facial recognition, or an application that is loaded on the user’s smart device (DUO or Okta) to acknowledge they are logging in (which a remote hacker would not likely have access to).

Phishing Training: An important, but often overlooked component of password security providing training on phishing threats that ask users to urgently verify, update or otherwise login to their accounts stating their access has been cutoff or breached and by providing a link within the email.  These “phishing” emails have become remarkably sophisticated in cloning the actual websites so users should be educated and regularly reminded to always go directly to their browser on both their computer and any mobile device and type in the website address, rather than clicking on the link.

Security needs to be top of mind for firm managers and implementing good password policies that limit access to any accounts is one way to keep your firm more secure.  RightNetworks has partnered with CPAFMA to provide a digital copy of Neal O’Farrell’s book “Think Security First,” as a comprehensive member resource which is available for download from the CPAFMA's Connect and Right Networks websites.

Roman H. Kepczyk, CPA.CITP is the Director of Firm Technology Strategy for Right Networks and works exclusively with CPA firms to implement today’s leading best practices and technologies incorporating Lean Six Sigma methodologies to optimize firm production workflows. Roman is also the author of “Quantum of Paperless: A Partner’s Guide to Accounting Firm Optimization” which is available at