Protected Voices: Passphrases and Multi-Factor Authentication
The FBI’s Protected Voices initiative provides cybersecurity recommendations to political campaigns on multiple topics, including passphrases and multi-factor authentication, to help mitigate the risk of cyber influence operations targeting U.S. elections.
Hi, I’m Michelle, a management and program analyst with the FBI, and I’d like to share with you some things you can do to prevent attackers from accessing your campaign’s networks.
We all use passwords. We use them for our phones, our login to our computers, our email, or other personal online accounts.
Unfortunately, many of us use simple passwords, such as Password1 or 1234, because they’re easier to remember.
Some of us even reuse the same simple password for multiple accounts.
If you use a simple password or pattern of characters, such as a1b2C#, it’s considerably easier for an adversary to crack, which means you’ve allowed an attacker to access all of your accounts linked to that simple password.
It’s common to require that passwords include uppercase letters, lowercase letters, numbers, and special characters. However, recent guidance from the National Institute of Standards and Technology, or NIST, advises that password length is much more beneficial than complexity.
Short, complex passwords are hard for people to remember, but easy for a computer program to crack. Industry experts, to include NIST, recommend using a longer passphrase—which is when you combine multiple words into a long string of at least 15 characters —instead of a short, simple, or complex password. The extra length of a passphrase makes it harder to crack, while also making it easier for people to remember. For example, a phrase such as VoicesProtected2020WeAre is a strong passphrase. For a more secure passphrase, combine multiple unrelated words to create a phrase—for example, director month learn truck.
Some people use password keeper programs. These programs store all of your passwords in one place, which is sometimes called a vault. Some programs can even make strong passwords for you and keep track of them all in one location, so then the only password or passphrase you have to remember is the one for your vault. The downside of using a password keeper program is if an attacker cracks your vault password, then he or she knows all of your passwords for all of your accounts. But many IT professionals agree, the benefit of a password keeper program far outweighs this risk. A little research should help you find a reputable password keeper program.
NIST’s password guidance includes these tips:
Require everyone to use longer passwords or passphrases of 15 or more characters without requiring uppercase, lowercase, or special characters.
Only require password changes when there’s a reason to believe your network has been compromised.
Have your network administrators screen everyone’s passwords against lists of dictionary passwords and known compromised passwords to prevent users from creating weak passwords or reusing known compromised passwords.
To help prevent a denial of service attack against your email service, don’t lock a user’s account after a certain number of incorrect login attempts. That way, even if an adversary floods your network with purposefully incorrect login information, your users won’t be locked out of their accounts.
Don’t allow password “hints.”
Require the use of multi-factor authentication.
Enabling multi-factor authentication is extremely easy and provides enormous security.
There are three kinds of credentials: something you know (like a password or a PIN); something you have (like a token or fob); and something you are (like your fingerprint).
Multi-factor authentication requires you to use more than one type of credential to access your account.
This means entering your password isn't enough—you also will need to enter at least one of the other mentioned credentials.
For example, in addition to your password, you might use your fingerprint or a code transmitted to a security token or a fob.
Answering a security question on a website is not multi-factor authentication protection.
SMS-based authentication (or text message authentication) is when you receive a one-time password or code to your phone as an extra layer of account security.
However, using text message authentication is much less secure than using a token, a fob, or your fingerprint.
Multi-factor authentication is not perfect. An attacker could still use social engineering techniques to trick you into providing your credentials to break into your account.
But if your campaign requires strong passwords and multi-factor authentication, you’ve greatly reduced the risk of attackers breaking into your computer network.
Additionally, use network tools to track account login activity. This will help you see who’s accessing your network—and if they should be.
Remember, your voice matters, so protect it.
- 01.15.2021 — FBI San Francisco Field Office Message on Protecting Communities
- 01.12.2021 — Vodcast: Wanted by the FBI - Hung Tien Pham
- 12.31.2020 — FBI Washington Field Office Warns the Public About Reshipping Scams
- 12.31.2020 — FBI Washington Field Office Warns the Public About Work From Home Scams
- 12.31.2020 — FBI Washington Field Office Warns Consumers About Gift Card Scams
- 12.22.2020 — Be Aware of Online Shopping Scams this Holiday Season
- 12.21.2020 — FBI Special Agent in Charge Craig Fair announces reward in San Francisco church arson
- 12.16.2020 — FBI Pittsburgh Highlights Teen Academy
- 12.16.2020 — Luis Quesada: Felices Fiestas
- 12.16.2020 — FBI El Paso Holiday Message
- 12.09.2020 — Seeking Information on Man Who Fired Rifle at Chicago Metra Stop
- 12.03.2020 — FBI Omaha Offers Strategies to Beat Shopping Scams
- 12.03.2020 — FBI Omaha Offers Strategies to Beat Social Media Scams
- 12.03.2020 — FBI Omaha Offers Strategies to Beat Charity Scams
- 11.18.2020 — Highlights from Director Wray's Remarks at World Economic Forum Annual Meeting on Cybersecurity
- 11.18.2020 — FBI San Diego Thanksgiving Message
- 11.13.2020 — Remarks by Sanjay Virmani About IRGC Covert Influence Campaign
- 11.10.2020 — FBI Tampa Veterans Day Message
- 11.02.2020 — FBI Buffalo and U.S. Attorney Remarks on Integrity and Security of Elections
- 10.23.2020 — Zach Gusé: I Wanted to Let the Light In