Awareness, DoS and third party breaches top security concerns of 2013

A recent study by Deloitte, titled Blurring the lines: 2013 TMT global security study, shows that 59% of Technology, Media and Telecommunications (TMT) companies suffered a data breach.  88% of these companies do not believe that they are vulnerable to an external cyber threat such as hacking.  Rather, the three highest threats were employee errors and omissions, denial of service attacks and security breaches by third parties.

Awareness is a critical factor here and Deloitte lists it as one of the top three security initiatives of 2013.┬á 70% of TMT companies responded in the survey that employee mistakes were an average of high vulnerability.┬á The risks, as stated by Deloitte, include, ÔÇ£talking about work, responding to phishing emails, letting unauthorized people inside the organization, or even selling intellectual property to other companies.ÔÇØ┬á To counter this, companies are conducting awareness training, often through security firms with experience in the area, and creating materials that employees will see on a regular basis to remind them of their responsibility to protect the data they work with.

Denial of Service (DoS) attacks was also rated a high threat.┬á DoS attacks overload targeted information systems making them slow to respond to requests or taking them down entirely.┬á Due to the relative ease of conducting a DoS and the criticality of information systems to todayÔÇÖs businesses, it is no wonder that DoS makes the list.┬á These attacks are often triggered by saying something that irks a hacker group or by opposing a hacker group of their interests.┬á Organizations can protect themselves by monitoring the messages they are sending especially through social networking and by working out an incident response plan for handing a DoS attack that includes the public relations factors in addition to the technical ones.

Breaches by third parties are at the top of the list party because the average company deals with so many third parties in the course of doing business.  In fact, 79% of respondents said the sheer number of third parties they deal with would be an average of high threat.  With so many third parties, it is difficult to determine if each has a sufficient level of security to adequately protect the data they work with and, as I all know, security is only as effective as the weakest link.  Organizations have responded by more thoroughly screening third parties and assigning them a risk rating for the type of data they will be working with through a process called vendor risk management.  The third party then needs to demonstrate security that is in line with the risk rating they have.  This process is required by regulations such as Sarbanes-Oxley Act (SOX), Payment Card Industry Data Security Standard (PCI DSS) and Health Information Portability and Accountability Act (HIPAA).

The threat landscape of 2013 continues to grow and companies are tasked with more responsibility to protect the data they work with.┬á As can be seen from DeloitteÔÇÖs survey, security awareness, denial of service and third party breaches are three major concerns for companies in 2013.┬á To protect themselves, companies can conduct security awareness training, create incident response plans, and screen third parties who work with sensitive data.

Data breach risk high for healthcare

Recent research shows that hospitals are the highest risk for data breaches.  The third annual benchmark study on patient privacy found that 45% of healthcare organizations have suffered more than five data breaches.  This is an increase from 29% in 2010.  In the majority of cases, 46%, the cause of the data breach was a lost or stolen computing device.  Employee carelessness and business associate mistakes were tied for the second most likely cause.

Healthcare IT News put together a list of the top 10 healthcare data breaches of 2012 listed below:

Utah Department of Health          780,000
Emory Healthcare          315,000
S.C. Department of Health and Human Services          228,435
Alere Home Monitoring, Inc.          116,506
Memorial Healthcare System, Fla.          102,153
Howard University Hospital            66,601
Apria Healthcare            65,700
University of Miami            64,846
Safe Ride Services            42,000
Medical Integration services, Puerto Rico            36,609

As I move into 2013, health care organizations can help prevent data breaches by maintaining tight control over organizational computing assets containing Protected Health Information (PHI) since this is the highest cause of breaches.  They should also be concerned with employee security training and requiring higher security standards of business associates.  Last but not least, HIPAA compliance is a must.

When a data breach or cyber security incident does occur, the impact can be minimized if clear direction for handling the breach has been given through incident response plans.  It is also important to know when to call for outside help.  Know providers of breach response services and computer forensic services and have their information at hand to minimize the scope and impact of a data breach or cyber security incident.

Human response to changes in risk

 

Gerald Wilde had a theory called risk homeostasis.  This theory hypothesizes that people have a level of acceptable risk.  When they perceive that there is less risk, they will take more risky actions to bring them to an acceptable level and when they perceive more risk, they will be more cautious.  Information security is very concerned with managing risk and reducing it to an organizationally acceptable level.  However, an organization is made up of many people and they may have a different level of acceptable risk than the organization does.  If the theory of risk homeostasis is applied to information security, individuals will take riskier actions when the organization implements controls to make them safer or when they perceive the environment to be safer.

This has far reaching ramifications for those in information security because the perceptions of risk by the individual may differ greatly from the actual risk.┬á Despite awareness of information security breaches in the news and the overwhelming statistics that a data breach is likely, people still have difficulty accepting that a breach could happen to them.┬á It all comes down to perceptions.┬á With WildeÔÇÖs theory, if a high risk is perceived then users will be more cautious and that is where the security minded organization wants to be.┬á So the question is, does the risk homeostasis theory hold water and if so, how do organizations manage perceptions in information security?

 

The risks of networked entertainment devices

The latest televisions and Blu-ray players are being shipped with more than high definition video and audio.  Internet access and a host of new applications are being built in to run directly on these devices.  A popular built-in feature is wireless access which enables the user to avoid plugging in an  Ethernet cable.  Accessing the Internet and your favorite apps directly from your TV is convenient.  However, what security risk does this pose?

Are TVs and Blue Ray Players a Security Risk?

The primary question is, ÔÇ£Are these devices a security risk?ÔÇØ Examining the features of these systems and comparing it to existing systems that already have a risk profile will help answer ┬áthis question.

In order to access the Internet, a device needs a browser. Currently, ┬ámanufacturers have decided not to develop their own browsers but to use existing products that have proven effective on other platforms.┬á Some devices come equipped with a version of Opera while others utilize GoogleÔÇÖs Chrome browser. Both browsers have been reasonably responsive in addressing security vulnerabilities and supporting the latest security standards.

Another feature offered by some devices is the ability to retrieve pictures, movies and music from networked computers by using MicrosoftÔÇÖs Windows ÔÇ£media extender technology.ÔÇØ┬á The default installation of the media center extender provides full access to most of the shared media on the network. This access could allow a compromised television or Blu-ray player access to files on the home or office network.

Yet another consideration is the type of content that will be available on these devices.  In the past year, a large number of exploits focused on Adobe Flash or Java.  Blu-ray players currently support Java in order to display content often included on Blu-ray disks, while some of the TV browsers support flash content.  Additionally, many of the applications available for these devices (like Hulu Plus) use Flash.

Internet capable television or blu ray players are typically connected to the network for extended periods of time. This long-term connection poses another risk. These devices may be configured to automatically download or index programs for future use. Since these devices are rarely monitored and typically used throughout the day, a security breach may go unnoticed for a long period of time.

Although there have not been any reported vulnerabilities for televisions and Blu-ray players yet, do not expect it to remain this way for long.  It did not take long for cell phones to be exploited after Internet access and applications were ported to them. Similarly, as Internet capable televisions and Blu-ray players grow in popularity, they will become a more sought after target of hackers.

So What Can You Do? 

Since no vulnerabilities have been published, companies have not developed security patches to prevent unwanted breaches. In reviewing recent firmware update release notes from mainstream television and Blu-ray manufacturers, none of the release notes documented fixes for security vulnerabilities.   These updates only enhanced functionality, not security.

Companies who have adopted Internet capable devices should consider keeping them on a separate network segment.  Both home and business users can disconnect devices from the network if Internet features are not needed.  By staying up to date on new vulnerabilities, corrective action can be taken when needed.

For added security, also consider turning off features that automatically index or download content.  This, combined with setting the device to turn fully off, will reduce the amount of time the device is potentially vulnerable each day.  When using the media center extender, consider reducing access from the default of full access to read only.  See this article for details on configuring tightened security for media center extenders (please be aware the article is rather technical).   Eventually, security patches for these Internet capable devices will be released just like security patches are released for software applications and operating systems.  However, unlike computers, users are not familiar with the firmware update process and not all companies make it easy to upgrade their products. In the future, companies will need to develop  procedures for regularly updating devices.

In conclusion, an Internet TV or Blu-ray player could be vulnerable once exploits are developed for these devices.  As the consumer usage for these devices increases, the likelihood of malicious code being developed will likewise increase.  The firmware on these devices can be upgraded but manufacturers have not released any security updates for their devices. Until manufactures address the invasions as they occur, the three best ways to protect a device from undisclosed vulnerabilities are:

  1. Disconnect it from the network unless it is needed to use specific Internet features
  2. Allow the device to turn off and not download content automatically
  3. Configure tighter security on Windows media extenders.

 

Data: If you don’t need it, delete it

Organizations are accumulating data at a pace that would cause a hoarder to blush.┬á Just like that old bicycle seat stored in the attic, data is often kept ÔÇ£just in case it may be┬áneeded someday.ÔÇØ┬á This practice, however, comes at a cost.

Some organizations think that it is inexpensive to store data, especially with the steady decline in hard drive prices.┬á The fact is, however, data is expensive to keep.┬á Organizations spend a significant portion of time managing, archiving and securing data.┬á Data is housed on servers, each of which must be maintained.┬á Data is also archived regularly according to the organizationÔÇÖs backup schedule and it is audited and secured against loss.┬á Each of these activities consumes the time (i.e. increases the cost) for those in information management.

Excessive data retention can also pose a risk to an organization in regard to compliance and electronic discovery requirements.┬á Personally identifiable information that is lost could result in significant fines. ┬áIn addition, old document drafts that may not provide organizational value could still damage the organization if disclosed.┬á Data related to litigation is costly to obtain, organize, and produce.┬á Searching through an organizationÔÇÖs legacy data adds additional complexity and cost.

For the above stated reasons, it is important to remove unnecessary data.  A structured approach is necessary to avoid the loss of important data and to provide consistency throughout an organization.  Structure can be accomplished through a data retention policy.   A data retention policy should specify how long certain types of data such as emails, documents, drafts, instant message conversations, or even voice mails should be kept and how the data will be properly disposed of.

Contents

At a minimum, a data retention policy should contain a scope section that outlines the types of data covered.┬á Examples would be tax records, personal information, business records and legal documents. In addition, the policy will need to spell out how long and in what form each type of document will be retained.┬á Some policies may include guidelines on removal of data – or this may be left to a data destruction policy.

Retention Term

One of the most difficult parts of defining a  data retention policy is specifying the length of time to retain certain types of documents.  Compliance requirements may determine the minimum or maximum length of time while business requirements may stipulate other terms.  Both the compliance and business requirements will need to be considered in defining the duration. The following are some best practices and can be used a starting point in the formation of a data retention policy:

  • Audit documentation and associated financial documents will need to be kept for at least 7 years if there is a SOX requirement. The IRS requires that tax documents be retained for at least 4 years after they were due.
  • The list of hazardous chemicals provided by OSHA contains many substances common in the workplace and data retention policies should define how long documentation of hazardous chemical exposure data will be kept.┬á OSHA requires that such documents be retained for 30 years.
  • The Health Insurance Portability and Accounting Act (HIPAA) requires that information disclosure authorizations, patient requests, business associate contracts and other such covered documents be retained for at least 6 years from the last transaction or 2 years following the patientÔÇÖs death.
  • Exceptions may be made to these recommendations when pending litigation or audits require an information freeze or legal hold for specific data.┬á In these instances, organizations will need to show that they have made reasonable efforts to prevent the destruction of discoverable information.

This article discussed the need for data retention policies and outlined some regulatory requirements that should be included in business retention requirements.   An effective data retention policy can go a long way in reducing data clutter, improving organizational efficiency and reducing risk.  However, defining the policy will not be enough.  Employees will need to be aware of the policy and motivated to follow it.

 

 

Where does cyber insurance fit in your risk strategy?

 

Data breaches and security incidents are a significant risk for organizations and some are using cyber insurance to transfer the risk similar to how many other business risks are transferred.  If you are considering cyber insurance, the first step is to identify the cyber risks you are facing to determine if they fall within you risk tolerance level or if they need to be addressed.  Security controls may need to be implemented to bring risks to an acceptable level.  There may be other risks where it is better to transfer the risk through cyber insurance.

Cyber insurance is still a relatively new concept so the offerings differ greatly between vendors.  Check with your vendor to see what they will cover.  Some of the costs of a data breach or security incident include:

  • Notification expenses such as those required under HIPAA
  • Investigation costs
  • Computer forensic services
  • Data restoration services
  • Public relations costs
  • Loss of business during the interruption
  • Loss of business following the interruption
  • Regulatory fines
  • Credit monitoring for impacted individuals

Insurance providers will want to know how risky a policy is so they will most likely have some questions on your security procedures before issuing a policy.  Cyber insurance is not a solution.  It needs to be pursued as part of the overall security governance of the organization along with security controls and other risk mitigation activities.

Increasing security risks associated with social networking

Social Networking is a godsend and a concern, a help and a hindrance, an amazing feat and a terrible nuisance. While these descriptors apply for the individual, they are exacerbated multiple times for a corporation. A corporation needs to be concerned with everything from profits to people, and social networking websites like Facebook, Twitter, or the new Google+ among others have tremendous impact on how a corporation looks at its priority list. Certain facets of social networking can be beneficial to businesses, for example social networking provides a business with free publicity. In addition to publicity, social networking allows a business to  into new markets and different demographics. Though networking brings many new possible clients and expands a business, it can also be riddled with potential pitfalls. For example, a business can divulge too much information via social networking. Also, privacy on sites like Facebook can be a little suspect, and thus put important corporate information at risk.

Now that a brief overview of the potential problems and possible benefits has been explored, a brief definition of Social Networking should be established. For this the Wikipedia definition will suffice, “A social networking service is an online service, platform, or site that focuses on building and reflecting of social networks or social relations among people, who, for example, share interests and/or activities. A social network service essentially consists of a representation of each user (often a profile), his/her social links, and a variety of additional services.” This definition exemplifies that social networks are used for establishing links among people and while it is not explicitly stated corporations. However, it does not address the problems within social networking. This is a problem that cannot be overlooked or understated. Many dangers exist within the milieu of social networking and they must be explored.

 

Advantages

A few of the main goals of a corporation include the growth and sustainability of the company. Social networking provides a very advantageous solution to spreading the word about a company. Whether or not the company is a new up and coming or is looking to reformulate its image within the public eye, social networking can be beneficial. The client base is extensive and the upkeep is at a low cost. With social networking corporations can hit multiple demographics and do it with an individualistic flair. Instead of a billboard advertisement trying to reach everyone, a corporation can use a Facebook post to reach a small population within the larger picture. Social networking can also be an option to solve communications problems. A recent news story that came out on July 6, 2011 discussed Facebook’s new chatting features, layout, and conference calling. As well as these new elements Facebook has also launched the ability to individually video chatting in a partnership with Skype. However, these new features are not the only ways that social networking affords corporations with regards to bridging the communication gap. Social networking could be used to reach the entire employee base within a corporation as a unifying force. Event notifications and shared calendars can insure that projects be completed on time.

Disadvantages

Unfortunately not everything associated with social networking is positive. For a corporation the adverse effects that social networking has on employee productivity can be a problem. People can spend company time on updating their Facebook profiles or checking their twitter feed instead of working on valuable projects. Employees that would be working diligently are instead lured into complacency via social networking. A lack of productivity affects the company through the individual employee; however, social engineering and corporate espionage could compromise the entire corporation. In another blog corporate espionage was discussed at length and its dangers. These dangers are intensified through the use of social networking. People and employees can be seduced and compelled to divulge company sensitive information through social networking sites. Furthermore, once these secrets are published the ownership of the information is disputed. There is ambiguity within the law as to who owns responsibility over what is updated to these social networking websites. A study was done in Spain published on May 9, 2011 that dissected the problems with social networking. The study discussed where the blame falls with regard to libel and slander cases. However, this study could also set a precedent that social networking sites by taking responsibility for the libel that could be posted on their websites also take responsibility for anything posted on their sites including sensitive information or corporate secrets. From an information technology (IT) standpoint social networking could have large costs due to the bandwidth required to manage these sites. The sites themselves may take up relatively small areas of bandwidth, but the problems ensue with the streaming of bandwidth gobbling videos or music. This bandwidth shortage is problematic on an individual level because employees are being less productive by looking at what their friends post, but also can be troubling to corporations heavily involved in publicizing itself via social networking sites. Corporations uploading promotional videos heralding their service or product on these sites can take up a lot of bandwidth traffic. This self-publicizing can create headaches for IT departments.

When it comes to maintaining friendships on the individual level social networking sites provide tremendous opportunities, however possible danger could exist for corporations and companies. These dangers include the possibility of a decline of worker productivity and the ability for social engineers to take advantage of workers otherwise known as corporate espionage. Although there are possible dangers to social networking, the possibilities afforded by networking are not completely bleak. Many benefits can be extruded from the use of social networking sites. For example, a company can use sites like facebook and twitter to connect to specific demographics and really reach out to them. In addition to that, the free publicity afforded by social networking sites is invaluable to corporations. The bottom line is social networking should be used but with extreme caution and acumen.

For further reading

A study analyzes the legal problems of social networks

5 Problems with Social Media *Marketing*

Skype Enables Video Calling on Facebook

Cyber espionage and the threat to your business

Corporate espionage is not just a plot for action movies, it is a real threat to small and large businesses.  Many successful attacks of corporate espionage steal data from companies each year resulting in intellectual property being sold to other companies, often in other countries, or ransomed back to the company.  This, in turn has made it more difficult for companies to compete and to provide high-quality services.

Corporate espionage is focused on people more often than not and those who obtain information by manipulating people are called social engineers.  These social engineers recognize that people are the weakest link in organizational security.  It could take time to perform reconnaissance, defeat security controls, and locate the data they need if they target technology but a few well-placed phone calls or a casual meeting in a bar could give them much of the information they need.

So how do you reduce the threat of corporate espionage?┬á It starts by educating employees of the threat of corporate espionage and the techniques used by social engineers.┬á Second, since social networking sites are often used to make initial contact or gather information about people in the company, educate employees on the risks and safe practices of social networking including how to validate the identity of a social networking ÔÇ£friendÔÇØ, signs of information gathering and what can and cannot be disclosed on social networking sites.┬á The second area of defense is physical security.┬á Once a person has access to computers and facilities at your organization, it is very likely that they will be able to extract data.┬á Make sure that guests are escorted through the facility.┬á Require appointments for vendors and document who made the appointment and the identity of the vendor before allowing them entrance.┬á Guests should sign in and be tracked.┬á Employees should lock their workstations when they are not in use and the organization should consider a clean desk policy.┬á These are just some examples among many that can protect the physical security against corporate espionage.┬á For more information, contact one of my security professionals.

Utilizing common vulnerability databases

The average organization has numerous types of equipment from different vendors. Along with the equipment, businesses also utilize multiple software applications from various developers throughout the organization. This diversity provides many helpful opportunities, but also creates a higher probability for vulnerability. Risk managers are able stay aware of new vulnerabilities through vendor systems or services such as SANS @RISK, the National Vulnerability Database (NVD), the Open Source Vulnerability Database (OSVDB), or Bugtraq, but how do they prioritize the vulnerabilities. Certainly risk managers need to know which vulnerabilities with the highest risk can be resolved before lesser vulnerabilities? Understanding these vulnerabilities and their impact relevant to other vulnerabilities is quite a challenge.

To overcome this challenge, several scoring systems have been developed. These include the US-CERT (United States Computer Emergency Readiness Team) Vulnerability Notes Database and the Common Vulnerability Scoring System (CVSS). This article provides an overview of both systems and how risk managers can use them to prioritize remediation.

US-CERT Vulnerability Notes Database

Severe vulnerabilities are published in the US-CERT Technical Alerts. One clear problem arises, however -what determines the severity of a vulnerability? A severe vulnerability that affects a rare application may be of lower priority to most users; however, those who do use it will want the information about its possible vulnerabilities. The Vulnerability Notes Database allows for vulnerabilities of all severities to be published. This open book policy is due to the fact that the severity of vulnerabilities is difficult to determine. For example, the few users of the rare application are able to use the system to find the severe vulnerability that would not be published in the Technical Alerts.

Vendor information is available in addition to the vulnerability notes. For each vendor this includes a summary of the vendor’s vulnerability status, rated as “Affected”, “Not Affected”, or “Unknown”. This may also include a statement from the vendor that includes solutions to the problem, such as software patches and potential permanent fixes.

The database allows for browsing and searching for vulnerabilities. The notes include the impact of the vulnerability, solutions, and ways to work around it, as well as a list of vendors affected by the vulnerability. Searches can be customized in order to determine vulnerabilities that impact an organization and their level of severity. Thus this database can be very helpful for risk managers.

 

Common Vulnerability Scoring System (CVSS)

While the US-CERT Vulnerability Notes Database publishes all vulnerabilities of all severities, it is not the only way risk managers can prioritize their vulnerabilities. There is another system, which companies can apply to their equipment and software. This second method is called the Common Vulnerability Scoring System or CVSS.

CVSS ranks vulnerabilities using three categories of metrics; base, temporal, and environmental.

Base characteristics define the fundamental characteristic of a vulnerability and include the following:

  • Impact to confidentiality, integrity, and availability
  • Access vector – the route through which a vulnerability is exploited such as local, adjacent to the network, or network.
  • Access complexity
  • Authentication

Temporal metrics are those that change over time. The three temporal metrics are exploitability, remediation level, and report confidence.

  • Exploitability measures the current state of exploit technique availability. Higher availability means there are a higher number of potential attackers.
  • Remediation levels include unavailable, workaround, temporary fix, and official fix. As a vulnerability’s remediation level increases, its severity decreases.
  • Report confidence measures the confidence of the vulnerability’s existence and its technical details. Values include confirmed, uncorroborated, and unconfirmed. Vulnerabilities that are confirmed are considered more severe.

The last category of metrics used by CVSS is environmental metrics. These consist of metrics related to where the vulnerability exists. The metrics are as follows:

  • Collateral damage potential
  • Target distribution – the percentage of potential affected systems
  • Confidentiality, availability, and integrity requirements

The CVSS system, unlike the US-CERT database, provides different metrics and measures in order to categorize different vulnerabilities. This system provides a scoring schedule, which quantifies the different vulnerabilities. Thus allowing risk managers in more niche markets and specific businesses isolate particular vulnerabilities important to them.

Organizations usually have large numbers of programs running, in addition to programs there is a multitude of equipment required to operate a successful business. However, these cogs in the corporation’s engine do not always run smoothly. Sometimes vulnerabilities can crop up and can be potentially harmful to the piece of equipment or the larger company. Therefore, risk managers must keep track of all of these vulnerabilities in order to keep the business running efficiently. Following all of these vulnerabilities can prove to be difficult. Risk managers keep on top of new vulnerabilities through various outlets. For example SANS @RISK, the National Vulnerability Database (NVD), the Open Source Vulnerability Database (OSVDB), or Bugtraq are used in this capacity. Furthermore, more strains occur in the department of ranking vulnerabilities based on severity. This job can be tough, but there are databases, which can aide in dealing with more critical vulnerabilities and ahead of less severe problems. The first is called US-CERT Vulnerability Notes Database and the second is the Common Vulnerability Scoring System (CVSS).

The US-CERT Vulnerability Notes Database utilizes a broader approach. It chronicles many of the known vulnerabilities and outlines the severity, without giving too much of a ranking. This movement away from hard rankings by the database is due to the difficulty of applying a single blanket score for all businesses because of the diversity of businesses. Meanwhile, the CVSS utilizes standardized measurements to rank vulnerabilities. There are three categories, which the CVSS use to evaluate vulnerabilities first is base, second temporal, and finally environmental. Within these there are several subcategories all of which meticulously sort out various vulnerabilities into a ranking system.

Both the US-CERT Vulnerability Notes Database and the CVSS allow for a type of ranking of vulnerability severity. By using these systems, organizations are able to determine which vulnerabilities are most likely to affect their applications in the most severe way. It follows that these organizations will then be able to prioritize by remediating the most severe vulnerabilities likely to affect their systems first.

For further reading

CVSS v2 Complete Documentation 

US-CERT Vulnerability Notes Database

Top password tips – Keep your account safe

Hackers often bypass some of the best security technologies by exploiting one of the oldest tricks in the book, your password.  Not only will attackers quickly gain access to whatever you have access to, audits and security monitoring will detect show that you accessed the documents, not the attacker so you will be the one to account for inappropriate use of company resources or access of data.  So what can you do to prevent this?

First, don’t share your password with anyone.┬á Not your co-workers, secretary, spouse, or even your dog.┬á Ymy password should be for your eyes only.┬á Also, avoid group or departmental accounts that are shared among several people.┬á Have system administrators create an individual account for each person that accesses a system.┬á Next, change your password often and follow these guidelines to create a secure password:

  • Use a combination of upper-case and lower-case, numbers and special characters such as ! @ # $ % * ( ) – + = , < > : : ÔÇ£ ÔÇÿ
  • Make your password long enough: Between 8 to 20 characters is recommended.
  • To help you easily remember your password, consider using a phrase or song to go with the acronym.
  • You can also make the entire phrase your password.┬á I like to choose something funny and weird that would not be easily guessed like Yeah, Testing for my star riding license which would look like this as a password: “Yeah!Testing4My*RidingLicense”