Stop Collecting Data About Your Patrons’ Gender Identity

A four-way stop sign in front of snow-covered tree branches.
Image source: https://www.flickr.com/photos/ben_grey/4383358421/ (CC BY-SA 2.0)

tl;dr – Your library doesn’t need to collect data about your patrons’ gender identity.

Longer tl;dr – Your library doesn’t need to collect data about your patrons’ gender identity for library workers to do their daily work.

Nuanced tl;dr – Your library doesn’t need to collect data about your patrons’ gender identity 99% of the time, and in that 1% where the data is required, you’re probably doing more harm than good in your collection methods.

This post is brought to you by yet another conversation about including gender identity data in patron records. Libraries collected this data on their patrons for decades; it’s not uncommon to have a “gender” field in the patron record of many integrated library systems and patron-facing vendor services and applications. But why collect this data in the first place?

Two explanations that come up are that gender identity data can be used for marketing to patrons and for reading recommendations. However, these explanations do not account for the problem of relying on harmful gender stereotypes. Take the belief that boys are reluctant readers, for example. Joel A. Nichols wrote about his experience as a children’s librarian and how libraries do more harm than help in adopting this belief:

These efforts presume that some boys are not achieving well in school because teachers and librarians (who are mostly women) are offering them books that are not interesting to them (because they are boys). I find this premise illogical and impracticable, in particular because I am queer: the things that were supposed to interest boys did not necessarily interest me, and the things that were supposed to interest girls sometimes did. Additionally, after years of working in children’s departments, I found over and over again that lots of different things interested lots of different kids. In my experience, it was the parents that sometimes asked for “boy books” or “girl books.” The premise that boys need special “boy” topics shortchanges librarians and the children themselves, and can alienate kids who are queer or genderqueer.

This collection of patron data can be used to harm patrons in other ways, such as library staff misgendering and harassing patrons based on the patron’s gender identity. A recent example comes from the 2019 incident where library staff repeatedly misgendered a minor patron when she was with her parent to sign up for her library card. While the library decided to stop collecting gender identity data on library card applications as a result of the incident, the harm done cannot be remedied as easily as changing the application form.

The ALA Rainbow Round Table recommends that libraries do not collect gender identity data from patrons unless absolutely needed. Since the recommendation in 2015, several libraries evaluated their collection of gender identity data only to find that they were not using that data. Collecting data for “just in case” opens library patrons to additional harm if the library suffers a data breach. If there is no demonstrated business need for a data point, do not collect that data point.

In the rare case that your library absolutely must collect data about the gender identity of your patrons (such as a requirement to report on aggregated patron demographic data for a grant-funded project), care must be taken in collecting this data to mitigate additional harms through alienation and exclusion.  The Rainbow Round Table recommends the Williams Institute’s report “Best Practices for Asking Questions to Identify Transgender and Other Gender Minority Respondents on Population-Based Surveys” as a guide to collecting such data. The Williams Institute has also created a short guide to create survey questions around gender identity. Here are more resources that can guide respectful demographic data collection:

Again, the resources above are only for the rare case that your library absolutely must collect this data from your patrons. Libraries considering collecting gender identity data must review the rationale behind the collection. A patron should not be required to tell the library their gender identity to use the library’s collections and services. Even the act of collecting this data can harm and disenfranchise patrons.

tl;dr – Your library doesn’t need to collect data about your patrons’ gender identity.

In Case of Emergency

A pull fire alarm with a sign next to it stating "Exit Alarm Only - this alarm does not summon the fire dept In case of Fire call 911"
Image source – https://www.flickr.com/photos/laurablume/5356203877 (CC BY ND 2.0)

Last Wednesday’s attempted insurrection at the US Capitol left many in various states of shock, despair, anger, and grief. As the fallout from the attempt continues to unfold, we are starting to learn more about the possible cybersecurity breaches that resulted from the attempt. Cybersecurity professionals, who are still trying to investigate the extent of the damage done by the SolarWinds attack weeks before, are now trying to piece together what could have been compromised when the mob entered the building. Stolen laptops and other mobile devices, unlocked desktop computers, paperwork left on desks – the immediate evacuation of congresspeople and workers meant that the mob had potential access to sensitive or confidential information as well as sensitive internal systems.            

Leaving a desk, office, or service point immediately to get to safety is a real possibility, even for libraries. Active shooter training has become standard for many US organizations, joining common fire and severe weather drills where staff leave their workstations to head to safe areas. Other library workers have personal experience leaving their work station to get to safety; in one instance, someone I knew barricaded themselves in a work office with other library staff after a patron started attacking them at the information desk. Physical safety comes first. Nonetheless, this leaves information security and privacy professionals planning on how to mitigate the risk that comes with potential data and security breaches in these life-threatening emergencies.

Incident response planning and several cybersecurity strategies help mitigate risk during emergencies where staff immediately leave work areas. Preventative measures can include:

  • Encrypting hard drives on computers and mobile devices
  • Requiring multifactor authentication (MFA) for device and application access
  • Installing remote wipe software to wipe devices if they are reported missing or stolen
  • Not writing down passwords and posting them on computer monitors, keyboards, desks, etc.
  • Conducting an inventory of library staff computers and mobile devices (tablets, phones, etc.)
  • Setting up auto-lock or auto-logoff on staff computers after a few minutes of inactivity
  • Storing confidential or sensitive data in designated secured network storage and not on local hard drives or USB drives
  • Limit access to systems, applications, and data through user-based roles, providing the lowest level of access needed for the user to perform their daily work
  • Storing mobile devices and drives as well as sensitive paper documents in secured areas when not in use (such as a locked desk drawer or cabinet)

After the emergency, an incident response plan guides the process in responding to potential data breaches: containing the damage, removing the attacker from doing more damage, and how to repair the damage. The incident response plan also provides communication plans for users affected in the breach as well as any regulatory obligations for reporting to a government office or official.

All of this will involve a considerable amount of resources and time; however, the time spent in planning and in training (think the tabletop exercises mentioned in our post about gaming in cybersecurity training) will be less time spent after the fact where emotions and stress are running high, resulting in things being missed or falling through the cracks after the emergency.

A Quick Data Privacy Check-in for The New Year

A small orange and white kitten sits on an Apple floppy drive, while a picture of a gray cat is displayed on an Apple monitor.
Image source: https://www.flickr.com/photos/50946938@N03/5957820087/ (CC BY 2.0)

Welcome to 2021! We hope that everyone had a restful holiday break. There might be some changes to your work environment for the new year that could affect the privacy and security of your patrons’ data. Let’s start this year off with a quick (and gentle) check-in.

Smart devices

Smartwatches, smart speakers, smart TVs – what new internet-enabled smart device has taken residence in your home, office, or even on your person? You might not know that these devices eavesdrop on your conversations and, in some instances, eavesdrop on what you type. If you are working with a patron or talking with a colleague that includes patron information, what smart devices are in listening range that weren’t before the new year?

Depending on the device, you might be able to prevent eavesdropping; however, other devices might not have this option. Disconnecting the internet from the device is also an option, but this might be more of a hassle than a help. The one sure way to stop a device from eavesdropping is to remove it from listening range, or, better yet, disconnecting the device from its power source.

Computers and mobile devices

A new year could mean a new computer or mobile device. If this is you, and if you are using a personal computer or mobile device for working with patrons or patron data, don’t forget to do the following while setting up your new device:

  • Install antivirus software (depending on your organization, you might have access to free or discounted software)
  • Install the VPN client provided by your organization
  • Install privacy-preserving tools and browser extensions
  • Enable auto-updates for the operating system and any applications installed on the device
  • Review the privacy and security settings for your operating system:
    • Mac and iOS devices – Apple recently published a document listing security and privacy settings on all Apple devices. The tl;dr summary by Lifehacker is a good resource if you’re not sure where to begin
    • Android – Computerworld’s guide to Android privacy is long but worthwhile if you want a list of actions to take based on the level of privacy you want on your device. Also, visit Google’s Data Privacy Settings and Controls page to change your Google account privacy settings (because now is a good time as any to review Google settings).

Evergreen recommendations

Even if you didn’t get a new smart device or computer for the holidays, here are a few actions you can do with any device to start the new year right by protecting your and your patrons’ privacy:

Take a few moments this week to review privacy settings and risks – a moment of prevention can prevent a privacy breach down the road.

Holiday Privacy Reads and Videos

A one eyed black cat with cartoon antlers sitting and looking up.

The Executive Assistant wishes all of our subscribers and readers a happy holiday season!

We will be back at the start of the new year; in the meantime, here are some videos and long reads to keep you company as we go on our holiday break:

Have a safe and healthy rest of 2020!

Patron Privacy Support: Holiday Edition

An orange cat looking at a laptop screen and pawing a mouse tracking pad.
Image source: https://www.flickr.com/photos/25473210@N00/421211549 (CC BY 2.0)

Black Friday and Cyber Monday have come and gone, but there are still plenty of opportunities to buy the last-minute gift to mark the end of a rough year. Patrons who might have gone to the library to ask for help setting up their new tech gadget will still find their way to the library help desk via chat, email, or phone. Other patrons might come to the help desk with questions from researching which tech gadgets to gift to others (or to themselves!). Why not use this time to do a bit of privacy instruction?

For patrons wondering what to buy – Mozilla’s *privacy not included is an excellent starting point for researching tech gifts that connect to the internet. The guide contains information about data privacy and security for each product and even warns you if a particular product doesn’t meet a minimum security standard.

For patrons who are shopping online – Even though most of our lives have shifted to online thanks to the pandemic, patrons might not have online safety and privacy in mind while shopping online. Account privacy settings, passwords, credit cards, web tracking, digital fingerprinting, phishing emails – the list of vulnerabilities and threats goes on and on. Having a sense of the patron’s threat model will help you determine which guides and resources you can use to help the patron protect their privacy while online. The Virtual Privacy Lab from the San Jose Public Library gives patrons a customizable privacy toolkit they can then use to protect their online privacy and security. You can also send along this short newsletter from SANS about secure online shopping that will help patrons to protect themselves while they shop online.

For patrons setting up their new tech gadget – The patron is excited about their new tech gadget! That is until they can’t figure out how to set it up. This is a great place to introduce privacy-preserving practices found in the Data Detox Kit and in other resources on the Choose Privacy Every Day site to set up their devices to protect their privacy and security right when they start using the gadget.

Last, an evergreen reminderdo not buy or gift an Amazon Ring.

No matter the gadget question or help request this holiday season, there’s always an opportunity to give the gift of privacy to patrons through sharing ways to help them protect their data. While this year might prove a challenge to provide the same level of support at the information or help desk, the above online resources make meeting that challenge a little easier for both the patron and for library staff. Happy shopping and tech support-ing!

FYI – New Newsletter Privacy Policy

Today (as in an hour before publishing our post!) MailPoet announced that it has been acquired by WooCommerce. LDH uses MailPoet for our weekly newsletter mailings. We will be reviewing the new Privacy Policy for the app to decide if we should continue to use the app. While we do not currently use any of the analytics features on MailPoet, we will need to determine if this acquisition means a change in data collection and processing with the third-party vendor. LDH will announce any changes to the newsletter app or other updates in a future post. If you have any questions in the meantime, please feel free to email us.

Security Without Privacy

Powerpoint slide listing the types of data collected by typical web app logs, including timestamps, user behavior, biometric data, and geographic location.
Slide from the SNSI October Webinar

Academic libraries have been in the information security spotlight due to the resurgence of Silent Librarian. The collection of academic user accounts gives attackers access to whatever the user has access to in the campus network, including personal data. Attackers gaining access to library patron data was not the reason why academic library information security was in the news again this past month, however.

Protecting The Bottom Line

In late October, the Scholarly Networks Security Initiative (SNSI) presented a webinar [slides, transcript] that made several controversial statements and proposals. The one that caught the attention of the academic researcher and library worlds is the proposal of a publisher proxy tool to monitor user access and use of publisher resources. In the transcript and slides, the proposal included tracking behavioral data in addition to other personally identifiable data. For example, the publisher would actively track the subjects of the articles that the user is searching and reading:

159

00:29:10.020 –> 00:29:17.280

Corey Roach: You can also move over to behavioral stuff. So it could be, you know, why is a pharmacy major suddenly looking up a lot of material on astrophysics or

160

00:29:18.300 –> 00:29:27.000

Corey Roach: Why is a medical professional and a hospital suddenly interested in internal combustion things that just don’t line up and we can identify fishy behavior.

While there are other points of contention in the presentation (we recommend reading the transcript and the slides, as well as the articles linked above), the publisher proxy tool brings up a perennial concern around information security practices that libraries need to be aware of when working with IT and publishers.

You Say Security, But What About Privacy?

Security and privacy are not one-to-one equivalents. We covered the differences in security and privacy in a previous post. Privacy focuses on the collection and processing of personal data while security focuses on protecting organizational assets that may include personal data. Privacy is impossible without security. Privacy relies on security to control access and use of personal data. However, there is the misconception that security guarantees privacy. Security is “do one thing and do it well” – protect whatever it’s told to protect. Security does not deal with the “why” in data collection and processing. It does the job, no questions asked.

When security measures like the proxy tool above are touted to protect publisher assets, the question of “why this data collection and tracking” gets lost in the conversation. Libraries, in part, also collect behavioral data through their proxies to control access to library resources. Even though this data collection by libraries is problematic in itself, the fact remains that the data in this proxy is collected by the library and is subject to library policy and legal regulations around library patron data. The same information collected by a vendor tool may not be subject to the same policies and regulations – outside of California and Missouri, there are no state laws specifically regulating vendor collection, processing, and disclosure of library patron data. Therefore, any data collected by the vendors are only subject to whatever was negotiated in the contract and the vendor privacy policies, both of which most likely allow for extensive collection, processing, and disclosure of patron data. Security that uses patron data doesn’t necessarily guarantee patron privacy and could even put patron privacy in jeopardy.

Bringing Privacy into Library InfoSec

Academic libraries are part of a campus system and are one of many ways an attacker can gain access to campus assets, including personal data, as demonstrated by Silent Librarian. However, academic libraries are also targets for increased surveillance in the name of information security, as illustrated by the SNSI presentation. The narrative of “academic library as the weak link in a campus network” can force libraries into a situation where patron privacy and professional ethics are both compromised.  This is particularly true if this narrative is driven by information security professionals not well acquainted with privacy and data ethics or by vendors who might financially benefit from the data collected by this increased surveillance of library patrons.

Library organizations and groups are weighing in on how information security should consider library privacy and data ethics. This Tuesday, ALA will be hosting a Town Hall meeting about surveillance in academic libraries. DLF’s Privacy and Ethics in Technology Working Group and the Library Freedom Project, co-collaborators with ALA’s Town Hall event, will most likely add to the conversation in the coming weeks with resources and statements. We’ll keep you updated as the conversation continues!

In the meantime…

A small postscript to the blog post – one reoccurring theme that we come across when talking to libraries about privacy is the importance of relationships with others in and outside the library. These relationships are key in creating buy-in for privacy practices as well as creating strong privacy advocates in the organization. What type of relationship do you have with your organizational information security folks? Check out this short presentation about building organizational relationships to promote a strong privacy and security culture if you are still wondering where to start.

The Threat Within

A headshot of Chadwick Jason Seagraves with text overlay: 'Anonymous Comrades Collective - Doxer Gets Doxed: "Proud Boy" Chadwick Jason Seagraves of NCSU'

People sometimes ask what keeps privacy professionals up at night. What is that one “worst-case scenario” that we dread? Personally, one of the scenarios hanging over my head is insider threat – when a library employee, vendor, or another person who has access to patron data uses that data to harm patrons. A staff person collecting patron addresses, birthdays, and names to steal the patrons’ identities is an example of insider threat. Another example is a staff person accessing another staff’s patron records to obtain personal information to harass or stalk the staff member.

Last week, an IT employee at NCSU was doxed as a local leader of a white supremacist group. This person, who worked IT for the libraries in the past, doxed individuals, including students in his own university, to harass and, in some cases, incite violence toward the people being doxed. As an IT employee, this person most likely had unchecked access to students, staff, and faculty personal information. It wouldn’t be a stretch to say that he still had access to patron information, given his connections to the library and his IT staff position.

Libraries spend a lot of time and attention worrying about external threats to patron privacy: vendors, law enforcement, even other patrons. We forget that sometimes the greatest threat to patron privacy works at the library. Library workers who have access to patron data – staff, administration, board members, volunteers – can exploit patrons through the use of their data for financial gain in the case of identity theft or harm them through searching for specific library activity, checkouts of certain materials, or even names or other demographic information with the intent to harass or assault. The reality is that there might not be many barriers, if at all, to stop library workers from doing so.

The good news is that there are ways to mitigate insider threat in the library, but the library must be proactive in implementing these strategies for them to be the most effective:

Practice data minimization – only collect, use, and retain data that is necessary for business operations. If you don’t collect it, it can’t be used by others with the intent to harm others.

Implement the Principle of Least Privilege – who has access to what data and where? Use roles and other access management tools to provide staff (and applications!) access to only the data that is absolutely needed to perform their intended duty or function.

Regularly review internal access to patron data ­­– set up a scheduled review of who has what access to patron data. When an employee or other library worker/affiliate changes roles in the organization or leaves the library, develop and implement policies and procedures in revoking or changing access to patron data at the time of the role change or departure.

Confidentiality Agreements For Library Staff, Volunteers, and Affiliates – your privacy and confidentiality policy should make it clear to staff that patrons have the right to privacy and confidentiality while using library resources and services. Some libraries go further in ensuring patron privacy by using confidentiality agreements. These confidentiality agreements state the times when patron data can be access and the acceptable uses for patron data. Violation of the agreement can lead to immediate termination of employment. Here are some examples of confidentiality agreements to start your drafting process:

Regularly train and discuss about privacy  – ensure that everyone who is involved with the library – staff, volunteers, board members, anyone that might potentially access patron data as part of their role with the library – is up to date on current patron privacy and confidentiality policies and procedures. This is also an opportunity to include training scenarios that involve insider threat to generate discussion and awareness of this threat to patron privacy.

A note about IT staff, be it internal library IT staff or an external IT department (campus IT, city government IT, or another form of organizational IT) – Do not automatically assume that IT staff are following privacy/security standards and policy just because they are IT. Now is the time to discuss with your IT connections about their current access is and what is the minimum they need for daily operations. However, even if the IT department practices good security and privacy hygiene (such as making sure they follow the Principle of Least Privilege), any IT staff member who works with the library in any capacity must also sign a confidentiality agreement and be included in training sessions at the very minimum.

A data inventory is a good place to start if you are not sure who has access to what data in the library. The PLP Data Privacy Best Practices for Libraries project has several templates and resources to help with creating a data inventory, assessing privacy risks, and practical actions libraries can take in reducing the risk of an insider threat.

Libraries serve everyone. We serve patrons who are already at high risk for harassment and violence. Libraries must do their part in mitigating the risk that insider threat creates for our patrons who depend on the library for resources and support. Otherwise, we become one more threat to our patrons’ privacy and potentially their lives or the lives of their loved ones.

Just Published – Data Privacy Best Practices Toolkit for Libraries

Welcome to this week’s Tip of the Hat!

Today we’re happy to announce the publication of the Data Privacy Best Practices Toolkit for Libraries. This toolkit is part of the Data Privacy Best Practices Training for Libraries project, an LSTA-funded collaborative project between the Pacific Library Partnership and LDH focusing on teaching libraries the basics of data privacy. This introduction into data privacy in libraries serves as a guide for both administration and front-line workers, providing practical advice and knowledge in protecting patron data privacy.

The cover page for Data Privacy Best Practices Toolkit for Libraries: A Guide for Managing and Protecting Patron Data.

What does the toolkit cover? The topics range from the data lifecycle and managing vendor relationships to creating policies and procedures to protect patron privacy. The toolkit covers specific privacy concerns in the library, including law enforcement requests, surveillance, and data analytics. We also get to meet Mel and Rafaël, two library patrons who have unique privacy issues that libraries need to consider when thinking about patron privacy.  At the end of the toolkit is an extensive resource section with library privacy scholarship, professional standards, and regulations for further reading.

This toolkit is part of a larger group of resources, including templates and examples libraries can use to develop contract addendums, privacy policies and procedures, and data inventories and privacy risk assessments. In short, there are a lot of resources that are freely available for you to use in your library! Please let us know if you have any questions about the project resources.

Finally, stay tuned – the project is going into its second year, focusing on “train the trainer” workshops for both data privacy and cybersecurity. We’ll keep you updated as more materials are published!

NaNoWriMo: Data Privacy Edition

A Siamese cat sitting in front of an open laptop computer.
‘Tis the season for all things writing. Your cat might have some opinions about that… Source: https://www.flickr.com/photos/cedwardmoran/4179761302/

Welcome to this week’s Tip of the Hat!

Today marks the second day of NaNoWriMo – National Novel Writing Month. For years many aspiring (and established) writers spend countless hours writing to reach the goal of a 50,000-word manuscript. If you do the math, you would have to write about 1700 words a day to reach the goal! Novels are the primary genre for NaNoWriMo, but that hasn’t stopped others from taking the idea of a writing month and using it for other genres. For example, this month is also AcWriMo, or Academic Writing Month, for academics who need to buckle down to write that research book or article.

With November being the month of writing, why not join in the fray with writing about data security and privacy? Our recent Cybersecurity Awareness Month posts discussed the importance of interactive and engaging training, so the question now is how you can build a data security and privacy training that won’t put staff to sleep, or worse, demotivate them from taking proactive privacy and security measures to protect patron data. One way to create engaging training is to use stories and scenarios. Drawing from real-world examples is a start, but the challenge is turning that example into a scenario where training participants are invested in addressing the problems presented in the story. Here are a few tips to help you with the writing process!

Characters – who are the major players in the scenario? Staff person, patron, vendor, random person who comes off the street, the cat who keeps sneaking into the library building? Once you have the characters, what roles do they play? What are their motivations? Why do they do the things they do or think the way they think?

So many questions, even for a short scenario! Take a page from User Experience (UX) and create personas to help with the character-building process. Even a shortlist of who they are, what motivates them, what they want, and what they know can help hone the scenario narrative as well as introduce common types of motivations, knowledge/skill levels, and different types of threat actors or people that might face additional privacy risks to training attendees. 

If you need more inspiration for characters, may I introduce you to Alice and Bob and their crypto-friends?

Story – Your real-world examples or the case studies you learn from others are two good places to start. That shouldn’t stop you from exploring building scenarios from scratch! Or perhaps you would like to modify the real-world examples into a scenario that would be a better fit for the training you’re developing. One concept to explore for your scenario is threat modeling, or identifying potential weaknesses at the library (systems, procedures, policies, etc.), who or what might take advantage of the weakness, and what can be done to either avoid or mitigate the threat. The threat modeling process can uncover a complex web of threats and vulnerabilities that interact with each other. On the other hand, it could lead to valuable conversations with trainees about how one vulnerability can create a ripple effect if exploited, or how a threat actor isn’t always acting with malicious intent. Sometimes the most dangerous threat actors are not aware that they are putting data privacy at risk such as a staff person with good intentions sharing patron data without knowledge of patron privacy procedures. 

Visual aids – What’s a story without visual aids? You might not have the resources or acting chops to create scenario videos, but there are always pictures to give life to your characters and scenarios. Luckily, there are several Creative Commons licensed resources to choose from:

You can also search for CC-licensed photos on Flickr and Creative Commons.

There are a lot more you can do with building scenarios for your data privacy and security trainings, but these three areas will hopefully get you started down the path of becoming an accomplished author… of training scenarios 😉 Enjoy your writing journey, and good luck!

Something You Have/Know/Are: Multifactor Authentication

Welcome to this week’s Tip of the Hat!

Cybersecurity Awareness Month wouldn’t be complete if we didn’t talk about authentication! Traditionally a perennial topic for cybersecurity training, authentication was also in the news last week with the allegation of a well-known security researcher breaking into a presidential candidate’s Twitter account. The researcher, who also broke into the candidate’s account in 2016, was able to break into the account by brute force, trying out possible passwords based on what he knew of the candidate. In both cases, multifactor authentication was not turned on. If the allegation is true, the candidate did not learn from the 2016 hack, leaving his account vulnerable for all these years.

Why is multifactor authentication (MFA) important? The following is an excerpt from our April post on the LITA Blog where we explain what MFA is, why it’s important, and how to implement it alongside other cybersecurity measures!

Multifactor authentication

Our community college district has required access to our LSP, Alma, that requires multi-factor authentication when used through our single sign on provider. Can you talk a little bit about the benefits of multi-factor authentication?

Multifactor authentication, or MFA, is an authentication method that requires at least two out of the three types of items:

  • Something you know, like your password
  • Something you have, like your phone with an authentication app or like a physical key such as a YubiKey
  • Something you are, like your fingerprint, face, voice, or other biometric piece of information

(FYI – More MFA methods are adding location-based information to this list [“Somewhere you are”].)

MFA builds in another layer of protection in the authentication process by requiring more than one item in the above list. People have a tendency to reuse passwords or to use weak passwords for both personal and work accounts. It’s easy to crack into a system when someone reuses a password from an account that was breached and the password data subsequently posted or sold online. When combined with two-factor authentication (2FA), a compromised reused password is less likely to allow access to other systems.

While MFA is more secure than relying solely on your traditional user name and password to access a system, it is not 100% secure. You can crack into a system that uses SMS-based 2FA by intercepting the access code sent by SMS. Authentication apps such as Duo help address this vulnerability in 2FA, but apps are not available for people who do not use smartphones. Nonetheless it’s still worthwhile to enable SMS-based 2FA if it’s the only MFA option for your account.

This all goes to say that you shouldn’t slack on your passwords because you’re relying on additional information to log into your account. Use stronger passwords or passphrases – ideally randomly generated by Diceware – and do not reuse passwords or passphrases. Check out this video by the Electronic Freedom Foundation to learn more about Diceware and how it works. It’s a good way to practice your dice rolls for your next tabletop gaming session!

As a reminder – your security is only as strong as your weakest security practice, so once you have created your password or passphrase, store it in a password manager to better protect both your password and your online security.