How to Create a Strong Password and How to Use Multifactor Authentication

October is National Cybersecurity Awareness Month, an annual collaboration between government and industry to raise awareness about the importance of cybersecurity.

During the month, the Exchange’s IT directorate is sending email newsletters to the workforce, each detailing a particular cybersecurity-related topic. The Exchange Post is also publishing cybersecurity-related stories throughout the month.

This story combines two related topics: Password best practices and multifactor authentication. And there’s more to diligent password practice than just picking a password. A few things to remember:

• Longer passwords are stronger passwords
• Random passwords—such as ones suggested by certain websites that are a string of letters, numbers and symbols—are even stronger
• Using a series of five to seven unrelated words, instead of a phrase, can also create a strong password, especially if you misspell some of the words intentionally.

“A password should be a mix of things that you are able to remember but are complex enough that someone can’t guess it within a certain number of attempts,” said Aaron Foechterle, Exchange data security analyst.

Also, don’t use the same password for everything. It’s recommended that you use a different password for each account.

That can mean remembering more than 20 passwords—so IT recommends using a password manager. A password manager stores your passwords, and you only need to remember one of them—the one you use to get into the password manager.

As recently detailed in a column by Executive Vice President/Chief Information Officer Chad Lucas, the Exchange is working with a new IT service management company called Okta to develop a more secure password-reset process for associates.

“Previously, our password parameters were very basic,” Foechterle said. “They were very limited. Now they’ve expanded quite a bit, to where you can have a complex password and change it more easily.”

Another upgrade in the password-reset system is that now the process includes two-factor authentication, also known as multifactor authentication, or MFA.

MFA is an extra step—which could include a code sent via text or email, fingerprints, facial recognition or other methods—that confirms your identity when you log on to an account. The IT team will also provide info on how to turn on MFA—and why you should use it on any site that offers it.

“Instead of using just your password to log into a website, you have your password and something else,” Foechterle said. “You have your password and a push notification, or something else. With an iPhone, it could be a fingerprint or Face ID. It’s basically a couple of different ways to log into an account—that way, it makes it harder for a bad actor to gain access.

“If you’re working remotely and you need a push notification from DUO to log in, you’re using two-factor notification,” he added. “We recently started using DUO to verify password resets.”

But even push notifications require diligence.

“If you’re expecting a push notification, you should definitely accept it,” Foechterle said. “But if one gets sent to you and you’re not expecting it, especially if it’s sent at an odd hour of the day, you should not accept.”

In addition to the Exchange Post, follow @exchangeassoc on Facebook, Instagram and X for more info. Hashtags for the month are #CybersecurityAwarenessMonth and #SecureOurWorld.

Next: Recognizing phishing