The team at Roland Schorr & Tower takes security very seriously and has put together a list of best practices around Passwords that you can use to increase your overall security. Security Standards are published by the National Institute of Standards and Technology (NIST), we follow and adhere to these published standards internally and utilize them as a reference and guide in creating our best practices.

Here is our list of Recommendations based on the NIST 2019 published standards:

DOs

  • DO set Passwords with At Least Eight Characters Or Longer: The more characters you use, the more difficult a password is to crack. the length of your password is important.
  • DO Use a Complex Password: Use numbers, lowercase letters, uppercase letters and symbols in your password
    • Uppercase letters (A through Z)
    • Lowercase letters (a through z)
    • Base 10 digits (0 through 9)
    • Non-alphanumeric characters (special characters): (~!@#$%^&*_-+=`|(){}[]:;"'<>,.?/)
  • DO Create Unique Passwords: Each password you use should be unique to each service you use.
  • DO Use A Password Manager: There are a few services that can help users safeguard sensitive passwords, including LastPass, BitWarden, and 1Password. These services store passwords in the cloud and secure them all with a master password.
  • DO Randomly Generate the Password: Use one of the Password managers you have chosen to randomly generate a password.
  • DO Use A Two-Factor Authentication System: The use of a Multifactor Authentication system as part of your security plan will add an additional layer of protection. This includes methods like hardware key fobs, software like Microsoft Authenticator, DUO and readable biometric data. Please use MFA

DO NOTs

  • DO NOT Use Dictionary Words: If your password is dinnertime, your account has probably already been hacked or worse yet.
  • DO NOT Use your Username. It's a bad idea to use any part of your username or email login in your password.
  • DO NOT Change Your Password Often: Changing your passwords regularly is now discouraged according to the latest NIST research, but make sure you have Multi-Factor-Authentication [MFA] setup.
  • DO NOT Use Simple Passwords: Do not use passwords like Pets, People, Places, Events, etc. These are easy to guess if someone is gathering info on you and would not make a good password.
  • DO NOT Reuse Passwords: Avoid using the same password at multiple Web sites especially your bank and email account.
  • DO NOT Use Adjacent Keyboard Stringsqwerty1234 is not a secure password; neither is using a keyboard pattern of ANY kind (eg. wazsedxcfr or poilkjmnb). All of these keyboard patterns have been taken advantage of and are part of the software programs malicious actors use to scan for passwords.
  • DO NOT list Passwords in plain text: Whatever you do, don’t store your list of passwords on your computer in plain text.
  • DO NOT Keep default Passwords: Both hardware and software with sometimes come with a default password (eg. printers, routers, wiFi AP, etc) These default passwords are published by manufacturers and widely known by all if you leave these passwords set you will get hacked.

One thing to note about password storage in Firefox: If you have not enabled and assigned a “master password” to manage your passwords in Firefox, anyone with physical access to your computer and account can view the stored passwords in plain text, simply by clicking “Options,” and then “Show Passwords.” To protect your passwords from local prying eyes, drop a checkmark into the box next to “Use Master Password” at the main Options page, and choose a strong password that only you can remember. You will then be prompted to enter the master password once per session when visiting a site that uses one of your stored passwords.

If entrusting all your passwords to the cloud gives you the creeps, consider using a local password storage program on your computers, such as MykiRoboformPasswordSafe or Keepass. Again, take care to pick a strong master password, but one that you can remember; just as with the Firefox master password option, if you forget the master password you are pretty much out of luck.