"Think Security First": Password Best Practices
Passphrases/Password Managers: Studies show that for a single password to be effective it should be at least twelve characters following the “hardened” rules mentioned above, which can be very difficult to remember (and should never be written down). One way to get to a long password that is easy to remember is to string together four random words, which would most likely be more than twelve characters and significantly harder to crack, or to utilize a passphrase which means something specific only to you. For example, the first letters of the passphrase “I got married to Chantel in Montrose on July 4, 1989” would translate to “IgmtCiMoJ41989.” For users that would only use a single login and password it is highly recommended they consider using passphrases or a series of random words to protect access to their accounts.
Another key best practice is NOT re-using the same password to access more than one account, which unfortunately, studies show the majority of individual users do for their own personal account logins. The recommended solution in this scenario is to utilize a password manager application that creates and enters an extremely long and unique password for each login so the owner only has to remember one unique password/passphrase to access it. When queried, the most commonly listed products utilized by CPAFMA members have been LastPass, Keeper and Dashlane.
Multi-Factor Authentication: Better than using a single password/passphrase is having the firm utilize dual or multi-factor authentication (MFA). MFA requires a secondary verification whenever someone attempts to login to an online account. This can consist of a physical encryption key that your personnel carries and must be plugged into or within close proximity of the workstation to access it, biometric verification such as a fingerprint or facial recognition, or an application that is loaded on the user’s smart device (DUO or Okta) to acknowledge they are logging in (which a remote hacker would not likely have access to).
Phishing Training: An important, but often overlooked component of password security providing training on phishing threats that ask users to urgently verify, update or otherwise login to their accounts stating their access has been cutoff or breached and by providing a link within the email. These “phishing” emails have become remarkably sophisticated in cloning the actual websites so users should be educated and regularly reminded to always go directly to their browser on both their computer and any mobile device and type in the website address, rather than clicking on the link.
Security needs to be top of mind for firm managers and implementing good password policies that limit access to any accounts is one way to keep your firm more secure. RightNetworks has partnered with CPAFMA to provide a digital copy of Neal O’Farrell’s book “Think Security First,” as a comprehensive member resource which is available for download from the CPAFMA's Connect and Right Networks websites.
Roman H. Kepczyk, CPA.CITP is the Director of Firm Technology Strategy for Right Networks and works exclusively with CPA firms to implement today’s leading best practices and technologies incorporating Lean Six Sigma methodologies to optimize firm production workflows. Roman is also the author of “Quantum of Paperless: A Partner’s Guide to Accounting Firm Optimization” which is available at Amazon.com.