Protected Voices: Passwords

The FBI’s Protected Voices initiative provides cybersecurity recommendations to political campaigns on multiple topics, including passwords, to help mitigate the risk of cyber influence operations targeting U.S. elections.

Video Transcript

Hi, I’m Karen, a special agent with the FBI, and I’d like to share with you some things you can do to prevent attackers from accessing your campaign’s networks.

We all use passwords. We use them for our phones, our login to our computers, our email, or other personal online accounts.

Unfortunately, many of us use simple passwords, such as “Password1” or “1234,” because they’re easier to remember.

Some of us even reuse the same simple password for multiple accounts. 

If you use a simple password or pattern of characters, such as “a1b2C#” it’s considerably easier for a criminal to crack, which means you’ve allowed an attacker to access all your accounts linked to that simple password.

It’s common that passwords are required to include uppercase letters, lowercase letters, numbers, and special characters. However, recent guidance from the National Institute of Standards and Technology advises that password length is much more beneficial than complexity. 

Consider using a passphrase—which is when you combine multiple words into one long string of characters—instead of a password. The extra length of a passphrase makes it harder to crack, such as “WeAreProtectedVoices@2018” or “Ohsaycanyousee” with special characters replacing a few of the letters.

For a more secure passphrase, we encourage you to combine multiple unrelated words to create the phrase, for example “goldielittlelamb3pigs.”

Some people use “password keeper” programs. These programs store all of your passwords in one place, which is sometimes called a vault. Some programs can even make strong passwords for you and keep track of them all in one location, so then the only password or passphrase you have to remember is the one for your vault. The downside of using a password keeper program is if an attacker cracks your vault password, then he or she knows all of your passwords for all of your accounts. But many IT professionals agree, the benefit of a password keeper program far outweighs this risk. A little research on the Internet should help you find the reputable password keeper programs. 

Encourage your network administrators to use network controls to force everyone on your team to use long, complex passwords or passphrases. You can also require users to check their passwords against lists of known compromised passwords—that’s another way to verify the strength of a password or passphrase.

It’s also critical to ensure access to any account is locked after a repeated number of incorrect login attempts. This will prevent a machine from eventually figuring out your password, which it can, given enough time and access.

Consider implementing controls so that users must regularly change their passwords.  

Use network tools to track account login activity. This will help you see who’s accessing your network—and if they should be.

While setting a strong password is important, a brute force attack can over time eventually crack even an extremely strong password. 

This is why it’s critical to utilize multi-factor authentication.

Enabling multi-factor authentication is extremely easy, and provides enormous security.

There are three kinds of credentials: something you know (like a password or a PIN); something you have (like a token or fob); and something you are (like your fingerprint).

Multi-factor authentication requires you to use more than one type of credential to access your account.

This means entering your password isn't enough—you also will need to enter at least one of the other mentioned credentials.

For example, in addition to your password, you might use your fingerprint or a code transmitted to a security token or a fob.

Answering a security question on a website is not multi-factor authentication protection.

SMS-based authentication (or text message authentication) is when you receive a one-time password or code to your phone as an extra layer of account security.

However, using text message authentication is much less secure than using a token, a fob, or your fingerprint.

Multi-factor authentication is not perfect. An attacker could still use social engineering techniques to trick you into providing your credentials to break into your account.

But if your campaign requires strong passwords and multi-factor authentication, you’ve greatly reduced the risk of attackers breaking into your computer network.

Remember, your voice matters, so protect it.

Video Download