By Vince Vitale & Shawn Griswold:
While most contact center agents have at some point heard the basics of password security (use a strong password, don’t use the same password on different sites, etc.), many of us still brush off that advice because it seems too complicated, or it feels like we just don’t have the time. We use the same password across different sites; we use passwords that are easy for others to figure out – and just hope for the best. But passwords are just as important as other tools we use to verify our identity – like driver’s licenses, social security cards, and passports – and they are just as important to keep secure. Below we’ve listed some key tips to simplifying your password security – and to understanding why it’s so important.
- Focus on length. The best passwords are at least 12 – 15 characters long, and can contain letters, numbers and symbols. This may sound daunting but remember – the important part is length! Lowercase letters on their own are just as fine as mixing it up with numbers and symbols, as long as the password is long enough. You can keep it simple by creating a short sentence that’s easy for you to remember, like ilovemystartelCMC. For added strength, or if a website requires it, you can add numbers and symbols to the mix: 1LovemyStarte1CMC#!. (Bonus tips: Do NOT use common phrases from pop culture and don’t bunch up the numbers or symbols at the beginning or end of the password – spread them throughout, as demonstrated above.)
- Use different passwords for accounts that contain sensitive or personally identifying information. If contact center agents use the same password across accounts, once it’s been cracked, ALL accounts become vulnerable. Just as you use different keys to protect different places, use different passwords to protect different accounts.
- Password managers securely remember your passwords so you don’t have to! Many contact service representatives avoid using different passwords for different accounts because it’s just too hard to remember them all, and we know writing them down isn’t safe. Luckily, password managers can help! These tools can also create passwords that are incredibly hard to crack. All of your passwords (whether you created them yourself or the password manager did it for you) are kept within an encrypted vault, which can only be opened with a master password. The master password should be the longest, most unique password you’ve ever created, and it should not be stored by the password manager.
- Use two-factor or multi-factor authentication. It sounds pretty fancy, but all it really means is instead of just entering a password to log in to your account, agents will also need to enter a second piece of information. You can usually find this option in the account settings or security settings of the online service. Here’s how it works: after entering a password, the company will immediately send a short code to something you have: an email account, a text message or voice call to your phone, oran app you have installed on your device. You then enter that code on the website and, voila! – you are able to access your account. It confirms you are who you say you are, because you verified you have the email account, cell phone, etc. that you previously connected to that account. Some contact centers are beginning to use the “something I am” authentication –a retina scan, a thumbprint scan, a facial recognition scan, etc.
- Be wary of single sign-on. Many websites offer you the ability to use your social media or email account credentials to sign into their website, without having to create a new account. While this can be helpful because it means one less account you have to remember a username and password for, there are a number of possible risks involved with using it. You are also likely giving Facebook, Google, etc. access to more information about you than they already have, and sharing information from your social media account with the new site or service. (Remember the saying: “If the service is free, your personal information is often the price.”) A final risk to consider is that if your social media or email account gets compromised, it means the other accounts you’ve used those login credentials for are also compromised.
- Share your password with…. no one! Sometimes – especially in new relationships – we want to share everything with our partner, and have them share everything with us. But just as you wouldn’t give them your identity documents to carry around in their wallet, it’s important to keep your passwords private, and to respect the privacy of their passwords.
- Don’t let browsers remember your passwords. While this feature in many browsers may make it super easy to get in to your accounts, it also makes it easy for someone who’s using the same computer or device to access those accounts (and all of your personal information) without needing to know your password. If you need help remembering your passwords (and who doesn’t these days?) consider using a password manager. Browsers are easily hacked and password storage is not very secure. So even remote attackers can gain access to them simple buy a user viewing a compromised webpage.
- Be strategic with your secret questions and answers. Those secret questions aren’t really secret. Someone who knows you (or someone who can Google) will be able to guess where you went to high school or your favorite color. There’s no rule that you have to be honest when answering those secret questions, so make things up that you‘ll remember but someone else can’t guess.
- Don’t take the bait. Unfortunately, most malicious hackers don’t have to work very hard to get access to passwords. They use strategies to trick people into giving them up. One common way they do this is by calling and pretending to be a representative from somewhere you are a customer at and convincing you to give them private information. Another way is by sending an email pretending to be from a website, service, friend, or colleague, and giving you a website link to follow. When you click on that link you’re either directed to a fake website that asks for your private information, or the link launches malware onto your computer.
- Change your password (only when you need to).If you think someone knows your password, changing it from a device that isn’t being monitored can keep them from gaining further access to your account. But if your account hasn’t been compromised and you have created a strong password using the guidelines above, it’s not necessary to change your password often. If you are using multi-factor authentication, password rotation is not required. However if the site / app does not have multi-factor authentication it is still recommended to change the password on a fairly regular basis. Without multi-factor, a compromised password can go undetected for a long time.
- Remember to log off. Computers and devices are smart – sometimes too smart – and unless you actively log out, your account may remain open indefinitely, allowing others easy access. While it’s certainly convenient to not have to log in every time on our own devices, it’s important to weigh that convenience with the risk of what might happen if our device gets in the wrong hands. Also – getting into the habit of logging out on our own devices makes it less likely we’ll accidentally stay logged in to our accounts on computers and devices that aren’t ours. If you’re concerned you may have stayed logged in to an account by mistake, some online services like Facebook and Gmail allow you to go in and see the places where you’re currently logged in and give you the option of logging out of them remotely. If you’re using an app on a smart device that doesn’t allow you to log off, you might want to consider deleting the app or account. This is an additional hassle – but weigh the sensitivity of the information in that account and the risk of someone else accessing that information.
- Create a separate email account to use for logging in to online accounts or making purchases. Creating an alternative email account that you can use for online accounts and purchases can help protect your privacy, and also help you avoid all of that spam in your actual email inbox.
If you follow the above steps you will fortify your security at your company. Please pass this information on to your call center agents and be sure it is implemented in future identification procedures.