Make these password changes now.
SOPA Images/LightRocket via Getty Images
Passwords are dangerous — they’re stolen, leaked and breached. Warnings are issued weekly, confusing users who have an average of 168 passwords each. And so it’s no surprise the government has now stepped in, telling users to make changes now.
Passwords have never been more at risk. That’s why Google warns hackers are gaining access to accounts and Microsoft tells users to delete passwords altogether. With multi-factor authentication (MFA) also under attack, account security needs to change.
But where do you start?
ForbesMicrosoft Teams Starts Telling Your Boss Where You Are—Now Just 8 Weeks AwayBy Zak Doffman
Fortunately, America’s cyber defense agency has just given you the answer. As well as warning iPhone and Android users only to use encrypted messaging platforms, not to use VPNs and to change app permissions, CISA also has password advice.
Users should “enroll each account in FIDO-based authentication,” the federal agency says. That means changing to “passwordless.” As for where to start, CISA says make changes “especially (to your) Microsoft, Apple, and Google accounts.”
That’s because these are gateway accounts. Not only does their single sign-on (SSO) open multiple in-house platforms, they can also be used to sign into third-party accounts. And because these are the dominant email and operating system platforms, the treasure trove of sensitive personal data they unlock is invaluable.
For almost all users, going passwordless means changing passwords for passkeys. This combines your password and MFA into a single token that is stored on your personal device and secured by your authenticated access to that device.
Just adding passkeys is not enough, though. You must also “disable other, less secure forms of MFA,” CISA says. And at the same time, you should review all your passwords if they can’t be deleted, and so remain a form of account access. That’s where the value in a third-party password manager comes in.
ForbesWarning Issued For Amazon Prime Customers—New Attack Has StartedBy Zak Doffman
“Review existing passwords to ensure they are long, unique, and random,” CISA says. “If they are not, change to passwords generated by the password manager.” Most users. likely can’t remember when they last changed their Apple, Google or Microsoft passwords. many of those passwords will also be reused. CISA’s warning is timely.
CISA also tells users to “disable SMS for each account. Enrollment in authenticator-based MFA does not automatically unenroll the account’s SMS. This can create a weak fallback mechanism that can be exploited by threat actors.”
A password manager will handle creating, changing and storing passwords, passkeys and MFA codes. Do not use browser-based password managers, not even Chrome’s. And ensure you only use a blue chip platform from a flagship provider.