Secure Your Logins

Learning Objectives

After completing this unit, you’ll be able to:

• Create a strong password.
  
• Explain the value of password managers.
  
• Define multifactor authentication.
  

This module was produced in collaboration with Fortinet. Learn more about partner content on Trailhead.

Create Strong Passwords

According to a study where a research team collected passwords from data leaks, they found that numeric patterns and using the word, "hello", represented common trends in the passwords we use around the world. You may be thinking, I’d never make it that easy for cybercriminals! I use my family member's name, favorite food, or even my favorite color to make my password unguessable. Unfortunately, that’s a tactic that attackers are also wise to, and with a little research about you on social media and the public internet they may be able to guess your password with ease. If you reuse your passwords across accounts, they might even be able to find your password on the dark web from a previous breach. So how can you protect yourself? 

• Create a strong password. The more characters you use, the more difficult it is for an attacker to crack a password. Use a lengthy password (different systems have different password requirements that are technically enforced; in general, the longer the password the harder it is for an attacker to compromise), and avoid common words and passwords, sequential and repetitive characters like 12345 or aaaaaa. Also avoid using identifying information about yourself, your username, or the service you are accessing within the password. This makes it harder for an attacker to compromise your account. One way to create a strong password is to use a phrase, for example by choosing a song lyric or movie line that is part of a phrase, such as: InSuddenImpactfrom1983ClintsaysMakeMyDay@!
  
• Use a unique password for each account. The more unique passwords you create, the harder a hacker has to work to guess them. When you reuse the same password for multiple accounts and one gets hacked, all of your accounts are in jeopardy.
  
• Don’t share your passwords. Passwords are yours and yours alone. No one should know your passwords. Also be aware that you can inadvertently share them if you store them in an unsafe place. (This means no sticky notes!)
  
• Change the factory-set default username and password.
  
• Be cautious with the browser 'Save Password' feature. While convenient, saving passwords in your browser can expose them to anyone who gains access to your computer.
  
• Logout from shared computers. Always logout from shared or public computers to ensure your password isn’t stored and accessible to the next user.
  
• Consider disabling auto-fill for passwords. Auto-fill can be convenient but poses a security risk if anyone else gains access to your device.
  

You’re probably wondering how you’re supposed to create and remember all of these long, unique passwords. That’s where password managers come in. 

Don’t Pass on Password Managers

Password managers are online tools that store and recall passwords for you as you surf the net. Think of a password manager like a home for all of your passwords, locked by a master key that only you have access to. 

A password manager lives in your browser of choice and fills in login credentials for you across your accounts. You just have to remember one (very strong) master password for the manager itself, and it takes care of the rest. Awesome, right? But these tools don’t just store your passwords—they help you generate strong passwords, too. 

There are dozens of password managers out there. Once you’ve chosen the one that’s right for you, use these steps to get it set up. 

1. Read the User Guide: Spend some time reading the user guide or FAQ for your chosen password manager to understand all its features and how to use them effectively.
   
2. Gather credentials—such as usernames and passwords—for all of your accounts. First, check out the built-in password managers on your devices and browsers. Next, check out your email inbox. You probably have a username and password with any company that emails you regularly.
   
3. Import your credentials into the password manager. You can do this a few ways. The easiest is to take advantage of any auto-import tools from your new password manager. You can also gradually add passwords to the service as you log in to sites over time. Or you can always manually enter account information.
   
4. Update weak passwords. Once you’ve entered all of your information into the password manager, scan your accounts for weak passwords. Use your tool’s built-in password generator, and then start the process of making updates across your accounts.
   
5. Sync the password manager across devices. Many password managers sync across devices, so you can access your passwords anywhere—even on your phone or tablet.
   
6. Regularly Update the Password Manager. Software updates often include security patches. Make sure your password manager is set to update automatically or remember to do it manually.
   
7. Check Browser Extensions. Some password managers offer browser extensions for easier login and form filling. Make sure to install these only from trusted sources.
   

These steps help you create strong, unique passwords across all of your accounts. And you don’t have to remember them, thanks to your new password manager. But your passwords can still be compromised. So let’s learn how multifactor authentication can keep you even more secure.  

Mastering Multifactor Authentication

The traditional and not-so-secure way you log in to your online accounts is to enter a username and that familiar password you probably use for most of your online accounts. But using just passwords, and reusing passwords across accounts, makes it easy for attackers to take down multiple accounts by just cracking that one password. There’s an easy way to better protect your accounts by using multifactor authentication, also known as MFA. 

Multifactor authentication is a security enhancement that requires you to present two or more authentication factors of different verification types when logging in to an account. Your credentials fall into any of these three categories. 

• What you know. This is your typical username and password scenario. You know something in your brain, and then you hand it over to gain access to your information.
  
• What you have. This method is a little trickier. Typically, it comes in the form of a token that generates a number and prompts you to enter it in order to approve a login request, or a card such as a badge or debit card.
  
• Who you are. These are the biometric authentication methods you’ve seen popping up lately. Some of the methods used are fingerprints, facial recognition, hand geometry, retinal or iris scans, handwriting, and voice analysis. These also include behavioral traits or measurements of how you move and act. This technology works in the background and constantly monitors your behavior, so when you try to log in, you'll be recognized simply by how you move. Examples include keystroke rhythm, and mouse use.
  

You’ve already used MFA if you’ve swiped your bank card at the ATM (something you have) and then entered your personal identification number, or PIN (something you know). Another example is when you log in to a website that sends a numeric code to your phone, which you then enter to gain access to your account. The recommendation here is, if a vendor has an MFA option, it's going to be more secure than just the password alone. The best option, when possible, is to use a hardware token, such as a YubiKey, or a time-based one-time password (TOTP), since these are the most difficult for attackers to compromise without physically stealing a device. If this is not available, using SMS or email as a second factor is still better than username and password alone. 

Truthfully, no matter how strong your password is—a breach is always possible. All it takes is for just one of your accounts to be hacked, and your important information can become accessible to cybercriminals. Bottom line: Continuously prioritize protection for all accounts with elevated privileges, remote access, and high-value assets by enabling MFA. That way, you ensure that the only person who has access to your account is you, for email, banking, social media, and any other service that requires logging in. To learn more about multifactor authentication, check out this site.

Knowledge Check

Ready to review what you’ve learned? The knowledge check below isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the function in the left column beneath the matching category on the right. When you finish matching all the items, click Submit to check your work. If you’d like to start over, click Reset.

Great work!

In the next unit, we take a look at additional ways to keep your digital life secure—specifically, your devices.  

Resources

• PDF: Verizon: 2023 Data Breach Investigations Report (sign up required)
  
• External Site: Fortinet: Multi-factor Authentication (MFA)
  
• External Site: Cyber News: Are password managers safe to use in 2023?
  
• External Site: National Institute of Standards and Technology: Back to basics: Multi-factor authentication (MFA)
  
• External Site: NIST Special Publication 800-63B: Digital Identity Guidelines
  
• External Site: Expert Insights: The Future Of User Authentication: A Guide To Behavioral Biometrics