Typing in a password to access your bank account makes it less convenient than simply typing in your username or email address, but my guess is that you would agree that that password is very much worth the trouble to protect your money. The problem today is that simply having a password (especially the weak, often re-used passwords that many people use) are no longer sufficient to keep others out of our accounts. And while better securing our accounts does further reduce the convenience, security and convenience do not follow a linear relationship - there are things we can do to drastically improve security while only adding a moderate amount of inconvenience. And that's what I want to convince you of.

This is part one of a two-part article. In this first part my goal is to explain why churches should even care about properly securing their digital accounts. I also provide some terminology and lay out some best practices. In the second part, I'll dive into some specific tools and workflows to help you implement better security for your digital accounts.

TLDR: Best Practices for Account Security

If you read nothing else in this article, here's the lowdown:

• Use a strong, unique password for every account.
  • Don't use the same password twice.
  • Passwords should be 12-14 characters minimum.
• Use a password manager (like BitWarden) to generate and store passwords as well as other account/security information.
• Set up multi-factor authentication everywhere possible.
  • When the account supports it, use an authenticator app (like BitWarden or Microsoft Authenticator) to generate one-time codes.
  • Otherwise, use a mobile number or email address to receive one-time codes.

Passwords

Why are passwords important, but not enough?

Passwords are no fun and typically pretty annoying. However, they are an important part of the approach to keep people who don't belong there out of your digital accounts and services. If a bad actor gains access to your account, they can do all sorts of things, some of which you might never notice. They can make purchases, sign up for things you don't want, send spam emails on your behalf, and lock you out of your accounts.

And unfortunately, passwords alone are no longer good enough to keep you safe. Hacking organizations have been busy over the past several years, and whether you like it or not, many of your usernames and passwords are probably available for purchase right now somewhere on the web. This problem is compounded if you tend to use the same couple of passwords for all of your accounts. Once someone has access to one account, they've got what they need to access many more. This is why some form of multi-factor authentication (we'll get to this later) in addition to, or even in place of, your password is a necessity now.

Yes, staying safe on the web is a pain, but trying to do damage control on an account that has been hacked can be far more devastating.

So, when thinking about safe-guarding your accounts, there are four key approaches to consider:

1. Create strong passwords.
2. Use a unique password for every account.
3. Use a password manager so you don't have to remember all those different passwords.
4. Enable multi-factor authentication whenever possible.

What's wrong with an easy password?

As computers get faster, it becomes easier for hackers to "brute force" their way into your account, simply by trying password after password until they find the one that works. It's like having a keyring with millions of keys on it, and one by one, trying every key on a door until it unlocks. The faster you can try a key, the more quickly you'll eventually open it. It's not a question of "if" the door will open, but rather "when". The stronger the password, the longer it takes (unless they make a lucky guess!) to access your account.

So what makes a strong password?

First, password length. The longer the password, the harder it is to guess every character correctly. Imagine a one-character password that only uses lowercase letters. You'd need less than 26 attempts to guess it correctly. If that password is changed to two-characters, it jumps to a maximum of 325 attempts. But that's still not a lot. That's why passwords are often now recommended to be at least twelve or more characters long. If we include capital letters, numbers, and special characters (*&^%$#@! etc.), a twelve-character password can have over 15 trillion combinations.  That takes a bit more time to guess.

Second, randomness. Hackers (or rather the programs they use) tend to try common words and phrases first, words that are in your username or email address, or words related to personal information easily found on the internet. The strongest passwords are either completely random combinations of letters (upper and lower case), numbers, and symbols, OR meaningless combinations of words (also called passphrases), though these can also contain numbers and symbols.

For example, here are some poor passwords:

• password123 - Why? It uses common words and numbers and is too short.
• MyBikeIsRed - Why? It's too short, and the words make sense together.
• T3chT@lk!! - Why? If this were an account with a techtalk.church username, the password contains elements of the username.

And here are some good password/phrases:

• 1jv9&kJLP04j,.` - Why? It's a random combination of characters and it's long.
• BaitKeys-candlePhone4 - Why? The words make no sense together and it's long. As a bonus, it's far easier to remember than the first example. This could be good for a master password for a password manager - the only one you need to memorize.

Finally, a strong password is one that is unique and not used anywhere else.

What's wrong with using the same password everywhere?

Using a single, easy to remember password for absolutely everything is understandable. Unless you have a superhuman memory, it's far easier to remember one password (and maybe a few variations of it) than it is to store a list of unique passwords somewhere that you have to look up every time you want to log in to an account.

But what happens when your password is guessed correctly for one account? Suddenly an attacker has what they need to access not just that account, but ANY account that uses the same username (often your email address) and password. Sure, they might not know what accounts you have, but you can bet that they'll test that username/password combination in lots of different places to find out.

What is a password manager and why is it helpful?

Enter the Password Manager! 🎊

If you've ever let your web browser (Chrome, Edge, Safari, Firefox, etc.) save a password for you, then automatically fill it in when you visit a website, you've used a password manager. The problem is, if you're using it to auto-fill the same password for every account, it's adding convenience but no additional security.

A password manager basically takes the security advantages of strong password practices (unique, hard-to-guess passwords) and combines them with the convenience of only memorizing a single password.

It works like this:

Most password managers run as an extension in your web browser, but also have mobile and desktop apps, so you can access your password manager anywhere you need to.

You access your password manager with a username, a master password (this is the only one you'll memorize), and some form of multi-factor authentication.

Once accessed, it adds the convenience of:

• auto-filling stored usernames and passwords of sites already in your password manager
• generating and storing strong, unique passwords for new accounts as you sign up for them
• auto-filling one-time multi-factor authentication codes without needing to get a code from your email/phone

Common Objections

Q. What if someone guesses my master password? Won't they have access to ALL of my accounts?

A. Sure, but that's why you protect it with a strong password AND multi-factor authentication. Plus, then you're still no worse off than using the same password everywhere.

Q. What if I forget my master password?

A. Every password manager has some form of emergency access, whether it's resetting your master password using your multi-factor authentication method or having a handful of one-time use codes that you can print off and file away in a lock box.

Q. Isn't it scary not knowing the password to my bank account?

A. Only at first. You get used to it.  The convenience and increased security far outweigh your own insecurity.

Q. Is it really a big deal if someone gets access to my account? We're not harboring government secrets or anything.

A. Yes! There are all sorts of potential ramifications of unauthorized account access like your email being shut down because it's unknowingly being used to send spam, files being held hostage to ransomware, credit card or other financial information stolen, etc. 

Multi-Factor Authentication

What is multi-factor authentication?

Multi-factor authentication (MFA), or 2-Factor Authentication (2FA) is a second line of defense for protecting your accounts, greatly increasing the difficulty for someone to access your stuff. If you've ever logged into an account by entering a code that was sent to your email or as a text to your phone, you've used MFA. MFA simply confirms your identity by requiring you to access an account (like your email) or device (like your phone) that you're the only one with access to.

There are four most common methods of multi-factor authentication:

• a one-time code sent to your email
• a one-time code sent to you as a text message
• a one-time code from an authenticator app
• fingerprint or facial recognition

Each account you log in to may offer different combinations of the above methods, and all are good, but using an authenticator app generally offers the most convenience and security.  Regardless of the method, if you have the option, enable MFA on every account you can.

I'm convinced this is important. Now what?

Hopefully as you've read you've begun realized the need to strong security for accounts accessed by your staff and volunteers. Stay tuned for part two of this article where I'll dive into some details on implementing these ideas in ways that are inexpensive and the least disruptive to your team.