National Tax Security Awareness Week: Making Secure Passwords
Passwords are a ubiquitous part of life in the Digital Age, but many of us aren’t particularly good at making them. That’s why the Security Summit is highlighting tips for creating strong passwords on the third day of National Tax Security Awareness Week.
The IRS press release opened with a nod to the frenetic nature of the holiday shopping season, a time when taxpayers across the US access online accounts to take advantage of sales. Unfortunately, cybercriminals know that many of those accounts store personally identifiable information (PII) and financial data.
Considering how often taxpayers save their payment information on retailers’ websites—and just how many of those sites they’re frequently logging into from Thanksgiving to Christmas—it’s painfully obvious why protecting those accounts with a strong, secure password is essential.
How do I create a strong password?
The IRS and Security Summit partners recommend longer, but easy-to-remember passwords that are unique to every online account.
Part of that advice—creating a password that’s easy to remember—may seem at odds with what your third-party webmail accounts recommended a few years ago. Predictably, the shift is directly related to human habits.
“Experts previously suggested something like ‘PXro#)30,’ but now suggest a longer phrase like ‘SomethingYouCanRemember@30,’” the IRS says. “By using a phrase, users don’t have to write down their password and expose it to additional risk. Also, people may be more willing to use strong, longer passwords if it’s a phrase rather than random characters that are harder to remember.”
The rest of the password-creation tips covered account usernames, password storage, and programs designed to help users manage the exponential growth of online account passwords. Here’s the full list from the IRS:
- Use a minimum of eight characters; longer is better.
- Use a combination of letters, numbers and symbols in password phrases, i.e., UsePasswordPhrase@30.
- Avoid personal information or common passwords; use phrases instead.
- Change default or temporary passwords that come with accounts or devices.
- Do not reuse or update passwords. For example, changing Bgood!17 to Bgood!18 is not good enough; use unique usernames and passwords for accounts and devices.
- Do not use email addresses as usernames if that is an option.
- Store any password list in a secure location, such as a safe or locked file cabinet.
- Do not disclose passwords to anyone for any reason.
- When available, a password manager program can help track passwords for numerous accounts.
From that list, choosing a unique username that’s different from your email address might seem strange, but there are a few reasons for that recommendation:
- Knowing an email address gives identity thieves another piece of PII that they can use to build a credible profile for fraudulently applying for loans and credit cards.
- Having the email address in hand means being able to start the password recovery process.
- Using the same email address and password for everything—including bank account logins—is a pretty common mistake that cybercriminals are more than happy to leverage against victims.
Remember, taking every possible precaution can better protect you from cybercriminals.
Should I use multi-factor authentication to protect my online accounts?
Aside from creating unique passwords and user names, the Security Summit also recommends that taxpayers use multi-factor authentication to protect online accounts. For those who are unfamiliar with the term, multi-factor authentication is any process that adds another step to the account login process.
An account just protected by a password would be considered to have single-factor authentication. Accounts that have another step, like security questions or a code sent via text message that you have to enter during login, would be considered protected by multi-factor authentication.
The IRS says, “The idea behind multi-factor authentication is that a thief may be able to steal usernames and passwords, but it’s highly unlikely they also would have access to the mobile phone to receive a security code or confirmation to actually complete the login process.”
What’s the next topic for National Tax Security Awareness Week?
So far, the Security Summit has covered online shopping safety tips, how to spot phishing scams, and password-creation tips. On Thursday, the Summit will cover how big a business needs to be for cybercriminals to target them.
Source: IR-2019-196