Topics

A Strong Foundation: Securing Accounts and Devices

Secure Accounts: Passwords and Two-Factor Authentication

Last Updated: July 2022

In today’s world it is likely that your organization and its staff have dozens if not hundreds of accounts that, if breached, could expose sensitive information or even get at-risk individuals hurt. Think about the different accounts that individual staff and the organization as a whole may have: email, chat apps, social media, online banking, cloud data storage, as well as clothing stores, local restaurants, newspapers, and many other websites and apps that you log into. Good security in today’s world requires a diligent approach to protecting all of these accounts from attacks. That starts with ensuring good password hygiene and the use of two-factor authentication throughout the entire organization.

What makes a good password?

There are three keys to a good, strong password: length, randomness, and uniqueness.

Length:

The longer the password is, the harder it is for an adversary to guess it. Most password hacks are done by computer programs these days, and it does not take those nefarious programs long to crack a short password. As a result, it is essential that your passwords are at minimum 16 characters, or at least 5 words, and preferably longer.

Randomness:

Even if a password is long, it is not very good if it is something that an adversary can easily guess about you. Avoid including information like your birthday, hometown, favorite activities, or other facts that someone could find out about you from a quick internet search. 

Uniqueness:

Perhaps the most common password “worst practice” is using the same password for multiple sites. Repeating passwords is a big problem because it means that when just one of those accounts is compromised, any other accounts using that same password are vulnerable too. If you use the same passphrase on multiple sites, it can greatly increase the impact of one mistake or data breach. While you may not care about your password for the local library, if it is hacked and you use the same password on a more sensitive account, important information could be stolen.

One easy way to achieve these goals of length, randomness, and uniqueness is picking three or four common but random words. For example, your password could be “flower lamp green bear” which is easy to remember but hard to guess. You can take a look at this website from Better Buys to see an estimate of just how quickly bad passwords can be cracked.

Use a Password Manager to help

So you know it is important for everyone in the organization to use a long, random, and different password for each of their personal and organizational accounts, but how do you actually do that? Memorizing a good password for dozens (if not hundreds) of accounts is impossible, so everyone has to cheat. The wrong way to do it is to reuse passwords. Luckily, we can turn to digital password managers to make our lives much easier (and our password practices much safer) instead. These applications, many of which can be accessed via computer or mobile device, can create, store, and manage passwords for you and your entire organization. Adopting a secure password manager means that you will only ever have to remember one very strong, long password called the primary password (historically referred to as a “master” password), while being able to get the security benefits of using good, unique passwords across all of your accounts. You will use this primary password (and ideally a second factor of authentication (2FA), which will be discussed in the next section) to open your password manager and unlock access to all your other passwords. Password managers can also be shared across multiple accounts to facilitate secure password sharing throughout the organization.

Why do we need to use something new? Can we not just write them down on paper or in a spreadsheet on the computer?

Unfortunately, there are many common approaches to managing passwords that are not secure. Storing passwords on sheets of paper (unless you keep them locked away in a safe) can expose them to physical theft, prying eyes, and easy loss and damage. Saving passwords on a document on your computer makes it much easier for a hacker to gain access – or for someone who steals your computer to not only have your device but also access to all of your accounts. Using a good password manager is just as easy as that document, but far more secure. 

Why should we trust a password manager?

Quality password managers go to extraordinary lengths (and employ excellent security teams) to keep their systems secure. Good password management apps (a few are recommended below) are also set up so that they do not have the ability to “unlock” your accounts. This means that in most cases, even if they were hacked or legally compelled to hand over information, they would not be able to lose or give up your passwords. It is also important to remember that it is infinitely more likely that an adversary guesses one of your weak or repeated passwords, or finds one in a public data breach, than that a good password manager would have its security systems broken. It is important to be skeptical, and you definitely should not blindly trust all software and applications, but reputable password managers have all the right incentives to do the right thing.

What about storing passwords in the browser?

Saving passwords in your browser is not the same as using a secure password manager. In short, you should not use Chrome, Firefox, Safari or any other browser as your password manager. Although it is definitely an improvement over writing them on paper or saving them in a spreadsheet, the basic password-saving features of your web browser leave something to be desired from a security perspective. These shortcomings also rob you of much of the convenience that a good password manager brings. Losing this convenience makes it more likely that people across your organization will continue poor password creation and sharing practices.

For example, unlike dedicated password managers, browsers’ built-in “save this password” or “remember this password” features do not provide simple mobile compatibility, cross-browser functionality, and strong password generation and auditing tools. These features are a big part of what makes a dedicated password manager so useful and beneficial to your organization’s security. Password managers also include organization-specific features (such as password sharing) that provide not just individual security value, but value to your organization as a whole.

If you have been saving passwords with your browser (intentionally or unintentionally), take a moment to remove them.

Save Password boxbitwarden

Instead of using your browser (such as Chrome, shown at left) to save your passwords, use a dedicated password manager (like Bitwarden, shown at right). Password managers have features that make life both more secure and convenient for your organization.

What password manager should we use?

Many good password management tools exist that can be set-up in less than 30 minutes. If you are looking for a trusted online option for your organization that people can access from multiple devices at any time, 1Password (starts at $2.99 USD per user per month) or the free, open-source Bitwarden are both well supported and recommended. 

An online option like Bitwarden can be great for both security and convenience. Bitwarden, for example, will help you create strong unique passwords and access passwords from multiple devices through browser extensions and a mobile app. With the paid version ($10 USD for a full year) Bitwarden also provides reports on reused, weak, and possibly breached passwords to help you stay on top of things. Once you set up your primary password (referred to as a master password), you should also turn on two-factor authentication to keep your password manager’s vault as secure as possible. 

It is essential to practice good security when using your password manager too. For instance, if you use your password manager’s browser extension or log in to Bitwarden (or any other password manager) on a device, remember to log out after use if you are sharing that device or believe that you might be at heightened risk of physical device theft. This includes logging out from your password manager if you leave a computer or mobile device unattended. If sharing passwords across your organization, also be sure to revoke access to passwords (and change the passwords themselves) when people leave the organization. You do not want a former employee to keep access to your organization’s Facebook password, for example.

What if someone forgets their primary password?

It is essential to remember your primary password. Good password management systems like the ones recommended above will not remember your primary password for you or allow you to reset it directly via email the way you might be able to for websites. This is a good security feature, but also makes it essential to commit your primary password to memory when you first set up your password manager. To help with this, consider setting up a daily reminder to recall your primary password when you first create a password manager account. 

Advanced: Using a Password Manager for Your Organization

You can strengthen your entire organization’s password practices and ensure all individual staff have access to (and use) a password manager by implementing one across the entire organization. Instead of having each individual staff member set up their own, consider investing in a “team” or “business” plan. For example, Bitwarden’s “teams organization” plan costs $3 USD per user per month. With it (or other team plans from password managers like 1Password), you have the ability to manage all shared passwords across the organization. The features of an organization-wide password manager not only provide greater security but also convenience for staff. You can securely share credentials within the password manager itself to different user accounts. And Bitwarden, for example, also provides a convenient end-to-end encrypted text and file sharing feature called “Bitwarden Send” within its team plan. Both of these features give your organization more control over who can see and share which passwords, and provides a more secure option for sharing credentials for team-wide or group accounts. If you do set up an organization-wide password manager, be sure that someone is specifically in charge of removing staff accounts and changing any shared passwords when someone leaves the team.

Two Factor Authentication

What is two-factor authentication?

However good your password hygiene, it is all too common for hackers to get around passwords. Keeping your accounts secure from some common threat actors in today’s world requires another layer of protection. That is where multi-factor or two-factor authentication comes into play – referred to as MFA or 2FA.

There are many great guides and resources explaining two-factor authentication, including Martin Shelton’s Two-Factor Authentication for Beginners article and the Center for Democracy & Technology’s Election Cybersecurity 101 Field Guide. This section borrows heavily from both of those resources to help explain why 2FA is so important to implement across your organization.

In short, 2FA strengthens account security by requiring a second piece of information – something more than just a password – to gain access. The second piece of information is usually something that you have, like a code from an app on your phone or a physical token or key. This second piece of information acts as a second layer of defense. If a hacker steals your password or gains access to it via a dump of passwords from a major data breach, effective 2FA can keep them from accessing your account (and therefore away from private and sensitive information). Ensuring that everyone in the organization puts 2FA in place on their accounts is critically important.

How can we set up two-factor authentication?

There are three common methods for 2FA: security keys, authentication apps, and one-time SMS codes.

Security Keys

Security keys are the best option, in part because they are almost completely phishing-proof. These “keys” are hardware tokens (think mini USB drives) that can attach to your keychain (or stay in your computer) for easy access and safekeeping. When it is time to use the key to unlock a given account, you simply insert it into your device and physically tap it when prompted during login. There are a wide range of models that you can purchase online ($20-50 USD), including highly regarded YubiKeys. The New York Times’ Wirecutter has a helpful guide with some recommendations for which keys to purchase. Keep in mind that the same security key can be used for as many accounts as you would like. While security keys are on the expensive side for many organizations, initiatives such as Google's Advanced Protection Program or Microsoft’s AccountGuard provide these keys for free to some qualifying at-risk groups. Contact the people who gave you the Handbook to see if they can connect you to such programs or contact [email protected].

Security Keys in the Real World

A hand holding an actual key with a key ring attached to a 2 f a device

By providing physical security keys for two-factor authentication to all 85,000+ of its employees, Google (a very high risk, highly targeted organization) effectively eliminated any successful phishing attacks against the organization. This case shows just how effective security keys can be for even the most at-risk organizations.

Authentication Apps

The second-best option for 2FA is authentication apps. These services allow you to receive a temporary 2FA login code through a mobile app or push notification on your smartphone. Some popular and trusted options include Google Authenticator, Authy, and Duo Mobile. Authenticator apps are also great because they work when you do not have access to your cellular network and are free to use for individuals. However, authenticator apps are more susceptible to phishing than security keys because users can be tricked into entering security codes from an authentication app into a fake website. Take care to only enter login codes on legitimate websites. And do not “accept” login push notifications unless you are sure that you are the one who made the login request. It is also essential when using an authenticator app to be prepared with backup codes (discussed below) in case your phone is lost or stolen.

Codes via SMS

The least secure but unfortunately still most common form of 2FA are codes sent via SMS. Because SMS can be intercepted and phone numbers can be spoofed or hacked via your mobile carrier, SMS leaves a lot to be desired as a method for requesting 2FA codes. It is better than only using a password, but authenticator apps or a physical security key are recommended when at all possible. A determined adversary can get access to SMS 2FA codes, usually just by calling the phone company and swapping your SIM card.

When you are ready to start enabling 2FA for all of your organization’s various accounts, make use of this website (https://2fa.directory/) to quickly look up information and instructions for specific services (like Gmail, Office 365, Facebook, Twitter, etc.) and to see which services allow for which types of 2FA.

2FA and Political Parties

Image of a phishing website

One of the world’s most prominent political figures, former United States’ President Donald Trump, made headlines for many reasons, including two-factor authentication. In 2019, an ethical hacker named Victor Gevers successfully accessed Trump’s Twitter account due to a weak password and its lack of 2FA. It took Gevers only five attempts to guess the password (“maga2020!”) and without 2FA in place there was nothing else to stop him from direct access to the highly sensitive and powerful @realdonaldtrump account. Gevers said that after he successfully hacked the Twitter account he went to great lengths to report the vulnerability, sending emails, screenshots and social-media messages to various U.S. government entities. Luckily for Trump’s political and communications team, his account was accessed by an ethical hacker, and not an adversary.

What if someone loses a 2FA device?

If using a security key, treat it the same way you would treat a key for your house or apartment, if you have one. In short, do not lose it. Just like your house keys though, it is always a good idea to have a backup key registered to your account that stays locked away in a safe place (like a safe at home or a safe deposit box) just in case of loss or theft.

Alternatively you should create backup codes for accounts that allow it. You should keep these codes saved in a very secure place, like your password manager or a physical safe. Such backup codes can be generated within most sites’ 2FA settings (the same place where you enable 2FA in the first place), and can act as a backup key in case of emergency.

The most common 2FA mishap occurs when people replace or lose phones which they use for authentication apps. If using Google Authenticator, you are out of luck if your phone is stolen, unless you save the backup codes that are generated at the time you connect an account to Google Authenticator. Therefore, if you are using Google Authenticator as a 2FA app, be sure to save the backup codes for all accounts that you connect in a secure place.

If using Authy or Duo, both apps have built-in backup features with strong security settings that you can enable. If you choose either of those apps, you can configure those backup options in case of device breakage, loss, or theft. See Authy’s instructions here, and Duo’s here.

Be sure that everyone in your organization is aware of these steps as they start to enable 2FA across all of their accounts.

Enforcing 2FA Across Your Organization

If your organization provides email accounts to all staff through Google Workspace (formerly known as GSuite) or Microsoft 365 using your own domain (for example, @ndi.org), you can enforce 2FA and strong security settings for all accounts. Such enforcement not only helps protect these accounts, but it also acts as a way to introduce and normalize 2FA to your staff so that they are more comfortable with adopting it for personal accounts as well. As a Google Workspace administrator, you can follow these instructions to enforce 2FA for your domain. You can do something similar in Microsoft 365 following these steps as a domain admin. 
Consider also enrolling your organization’s accounts in the Advanced Protection Program (Google) or AccountGuard (Microsoft) to enforce additional security controls and require physical security keys for two-factor authentication.

Secure Accounts

  • Require strong passwords for all organizational accounts; encourage the same for staff and volunteer’s personal accounts.
  • Implement a trusted password manager for the organization (and encourage use in staff’s personal lives as well).
    • Require a strong primary password and 2FA for all password manager accounts.
    • Remind everyone to log out of a password manager on shared devices or when at heightened risk of device theft or confiscation.
  • Change shared passwords when staff leave the organization.
  • Only share passwords securely, such as through your organization’s password manager or end-to-end encrypted apps.
  • Require 2FA on all organizational accounts, and encourage staff to set up 2FA on all personal accounts as well.
    • If possible, provide physical security keys to all staff.
    • If security keys are not in your budget, encourage the use of authenticator apps instead of SMS or phone calls for 2FA.
  • Hold regular training to ensure staff are aware of password and 2FA best practices, including what makes a strong password and the importance of never reusing passwords, only accepting legitimate 2FA requests, and generating backup 2FA codes.