As part of its #actnowstaysecure campaign, the Australian Cyber Security Centre (ACSC) recently shared recommendations for protecting email accounts.
The campaign highlights the ACSC email security home page, which walks readers through why email security is important:
“If someone gains unauthorised access to, or impersonates your email account, they can intercept or gain access to your private communications.”
This campaign also highlights ways to determine if someone else has accessed your email account such as noticing strange emails in your sent folder or receiving unexpected password reset notifications.
It also offers links to practical guides on how to protect your business from email fraud and how to secure your Microsoft account with multi-factor authentication.
The guide entitled Protect your business from email fraud and compromise is of interest, as it shares suggestions for protecting SMBs and enterprises. They include:
Turning on MFA
Renewing domain names
Registering additional domain names to deny cyber-criminals the opportunity to register domain name very similar to your business in order to trick people
Setting up email authentication measures to prevent spoofing attacks
Protecting privacy by limiting the amount of personally identifiable information posted online
Under the MFA suggestion, the paragraph ends with this: “Remember to use a strong passphrase for your email account if you cannot use multi-factor authentication.” In clicking on the link, the reader is brought to yet another page, entitled Passwords, pins and passphrases.
Recommending the use of MFA is important, as is keeping PII close to the vest. Points also go towards seeding in language about the use of a strong passphrase.
But, these recommendations could be less complex and more straightforward (centering domain names over strong passphrases?). We will reiterate here: we believe national and international agencies with a security-centric purview should recommend, clearly and on their main pages, that consumers and businesses use strong and unique passwords. Leaving it up to readers to comb through documents or follow a trail of links will result in reader attrition and message dilution.
Furthermore, the ACSC misses the opportunity to highlight the efficacy of password managers. Password managers allow users to easily create and manage strong and unique login credentials for each website to reduce the impact of potential data breach. If it happens, only a single password is compromised, and users can quickly generate a new one. There are a host of excellent options on the market.
For a refresher on how Bitwarden ranks agencies, see Bitwarden’s State of Password Security report.
Overall Bitwarden Assessment: Good
Does not recommend use of a password manager
Calls out importance of strong passwords
Cites need for 2FA/MFA to further support password security
Overall security advice is not up-to-date and does not adhere to NIST guidelines
Does not lay out password security recommendations in a clear, digestible, and easy to find manner
Learn what advice other leading cybersecurity agencies offer, and how they compare, in the State of Password Security Report, released earlier this year.