Strong passwords are now the law

Published on October 11, 2018

Last month, the state of California passed the Information Privacy: Connected Devices bill, which provides that connected devices manufactured or sold in California must require strong, unique passwords. Devices that allow weak, default passwords such as “admin” and “password” will no longer be legal. The bill was passed in an effort to stem the tide of cyber attacks seen in recent years. Many smart devices currently available, from webcams to thermostats, can be operated with the weak, default passwords that come with the devices, making them vulnerable to cyber attacks. By 2020, network-connected devices will have to either come with a unique code or require users to create a strong password upon first use. 

As smart devices and cyber attacks both become more prevalent, it’s a good idea to consider how you’re coming up with your passwords and perhaps implement some guidelines to ensure your network is safe from attack. 

Why passphrases are superior to passwords

Passphrases are the gold standard when it comes to password security. Why? Because it’s easy to come up with passphrases that are both easy to remember and strong. What makes a good passphrase? Three random words strung together make a strong enough passphrase for a regular website login as long as they’re truly random. “Bognoiseanimal” is a good choice. “Wethepeople” is not. We advise getting into the habit of creating passphrases that start with a capital letter and end with a number and special character. For example, you might like to make your default ending “1!”. This way you’ll comply with most websites that have specific password requirements.

Never reuse passphrases or passwords

When we’re asked so often to create a password, it’s tempting to come up with one or two and use those for everything. This creates a terrible security risk because if a cybercriminal hacks into one of your accounts, they’ll be able to break into your other accounts as well. The results could be disastrous. But how can you manage all of your passwords so they’re secure and you can retrieve them quickly? 

There are many password managers out there that will safely file away unique passwords and autofill them on the websites you use frequently. We recommend 1Password, which generates unique passwords and puts them all behind one password or phrase that syncs to all of your devices. 

Another option is to use your web browser’s password generator to come up with and store unique passwords.

Alternatively, if you must, write your passwords down in a notebook or store them in a secure file. This strategy isn’t recommended because hundreds of passwords can quickly become unwieldy, and even a notebook or file on your computer can fall into the wrong hands. However, even this is better than reusing the same password. Unique passwords are that important. 

Use two-step verification with Facebook or Google sign-ins

Many websites allow you to sign in with your Facebook or Google accounts, which is very convenient for users and secure, as long as you create a strong passphrase. Because this passphrase will become the key to multiple accounts, it’s also important to enable two-step verification. This security measure adds the extra step of verifying with a phone number when signing in from an unknown device, thwarting phishing attempts that could take advantage of Facebook and Google sign-ins. 

Good security habits are worth the extra effort

With the recurrent news of cyber attacks, the thought of needing to secure all of your passwords may seem overwhelming, but it doesn’t have to be. Taking the three precautions in this post is an excellent place to start. Make sure your passphrases are strong with random words and special characters, don’t use the same passphrase twice, and use two-step verification when you’re linking several accounts to one login. 

California is the first state to require strong passwords of device manufacturers, and it most likely won’t be the last. As we become more knowledgeable about how cybercriminals operate, we also become more savvy about protecting our data from attacks. Of course, Hushmail is always here to offer a secure, encrypted email solution - passphrases required and two-step verification available on demand. 

Don’t have a Hushmail account?

Learn more about Hushmail Premium and try it risk-free for 60 days. 

Subscribe to our newsletter

...and we’ll send 6 tips to make sure your emails are truly HIPAA compliant straight to your inbox.