Drake Software blog for tax pros, covering tax, IRS news, and more

IRS Updates Guidelines for Passwords

Cybersecurity, like the identity thieves it’s designed to foil, is a work in progress. What is considered standard procedure is superseded when something better comes along.

It’s time to update your To Do list on passwords.

What hasn’t changed is the need for strong passwords on every part of your income tax computer system. Strong passwords are the first “lock” hackers and identity thieves will hit if they break into your computer. These new recommendations will help ensure those locks hold.

What’s New for Passwords

First, if software or email programs offer a multi-factor authentication process, opt in whenever you can. Once only available through the largest software companies, multi-factor authentication that seeks to validate the user’s identity has now been incorporated into email clients and other programs.

Such authentication will contact the user either by cell phone or email to validate the user is the one who is attempting to log in. A code is sent to the cellphone or email on file and that code must be entered in a few minutes’ time to validate the log-in user is also the account owner.

Another advancement came in just what we consider to be a password. Previously, it was taught that the best passwords were random jumbles of letters, numbers and special characters (such as punctuation). That sort of password is indeed strong from a hacking perspective, but many times users have to write it down in order to remember it, which in turn makes is less secure.

Rethink passwords and think of a passphrase; eight characters at a bare minimum, but more is better. Use a combination of letters, numbers and symbols. The IRS uses the example of SomethingYouCanRemember@30 as a passphrase that could work. But for an even stronger phrase, consider using a nonsensical phrase that is still easier to remember than a random jumble of characters. So another example might be: BingoWatermelon7WalksThur$days.

When it comes to passwords we just can’t cut corners. So when your system says it’s time to change passwords or if you need to add accounts, don’t reuse passwords. For example, changing Bgood!17 to Bgood!18 is not strong enough to deter that hacker in Who-Knows-Where who’s trying to get into your computer system.

Good Password Habits

Other “best practices” for password security haven’t changed. Here are more tips for tax professionals in search of passwords to keep their data secure:

  • Use strong, unique passwords for all accounts, whether it’s to access a device, tax software products, cloud storage, wireless networks or encryption technology.
  • Avoid personal information or common passwords.
  • Change default and temporary passwords that come with accounts or devices.
  • Don’t use email addresses as usernames.
  • Store any password list in a secure location, such as a safe or locked file cabinet.
  • Don’t disclose passwords to anyone for any reason.
  • Use a password manager program to track passwords, but protect it with a strong password.

For more information about password security and other computer security issues facing tax practitioners today, check out the Tax Security 101 awareness initiative from the Internal Revenue Service and its industry partners on the Security Summit.

Other resources include Publication 4557, Safeguarding Taxpayer Data; Small Business Information Security: The Fundamentals; and Publication 5293, Data Security Resource Guide for Tax Professionals.

Bob Williams

Forget genes; I’ve got words in my DNA. Communication has been part of who I am nearly all my life. From a long career in radio news to another one in newspapers – and a University of Georgia journalism degree sandwiched between the two – language has been my life. I’ve also been fortunate to have learned the tax business from the ground up here at Drake, starting with 1040.com online forms some years ago before moving on to work on the Web. In all things tax-ish, we aim to give you tools you can use.

comments powered by Disqus