TeamSnap Increases Security with New Password Policy

At TeamSnap, we take security very seriously. We’re constantly working to ensure that our customers’ information is protected and that we’re doing everything we can to prevent the kinds of hacks you read about almost weekly in the news. Security isn’t something we check off a list and call “done,” it’s an ongoing process for us.

With that in mind, beginning today, April 20, 2015; we’re initiating a small change that will help continue to protect customer information. I sat down with Frank Watervoort, our VP of Engineering and resident Nederlander, to get the scoop on what’s changing.

So Frank, what’s changing?

We’re changing our password requirements for new accounts. This is a fairly small change that could have a big impact. Currently, passwords are required to be any eight characters that aren’t the customer’s username. The new requirements will keep those, but also add that there needs to be at least one number and at least one letter. Passwords can also contain spaces, for example “teamsnap rules 33.”

Was this prompted by an incident?

Absolutely not; we haven’t had a security breach. We are just constantly looking for ways to beef up TeamSnap’s privacy and security.

So new passwords will now have to be eight characters, not your username and must include one letter and one number?

Is there an echo in here? Yes, that’s correct. We’ll also have a list of weak passwords that we’ll test new passwords against. If your new password is on that list, we’ll ask you to choose a different one.

Where’d the list come from, and what makes a weak password?

Our list of weak passwords is loosely based on a published list of the 10,000 most common passwords and are all a minimum of eight characters. Weak passwords include the user’s name and common number/letter patterns, like “abcd1234,” for example.

Does that mean that every customer will have to change their password?

No, this is for new passwords only. So if someone creates a new account, they’ll have these password requirements. Or, if someone changes their password, they’ll have these password requirements.

Even though we’re not requiring every existing customer to change their password, we do recommend that they update their passwords regularly to keep their accounts secure. We highly recommend an updated password for people who think they have easy passwords or who have never changed their password.

What defines a strong password? I’m assuming it’s not muscles.

Strong passwords include special characters, uppercase and lowercase letters, and are hard to guess. They aren’t used across a lot of different services; for example, you don’t make your bank password and your Facebook password and your TeamSnap password the same password. Strong passwords aren’t shared, and strong passwords are changed regularly. If you use the same password across many services and one of those weaker services gets hacked, ill-intentioned people will try those hacked credentials across many services and often succeed in gaining access, so use unique passwords.

But using one password for everything makes it easy to remember! There are so many passwords. If each one is different, how will I ever remember them all?

There are some tools to help with this. For example, Apple users can use the iCloud Keychain, which generates passwords, stores them and autocompletes them for you. There’s also a tool called LastPass, which is a password manager that keeps a secure database of your passwords and remembers them in your Internet browser, as well as 1Password, which is the one we use internally at TeamSnap. Especially if you regularly use a laptop in a public place, for example, if you don’t use a password manager and instead have your browser save all of your passwords, and then your computer is stolen, there goes all of your info. Password managers really are important.

That’s good advice. While we’re on the topic, do you have any other security knowledge you want to drop on us?

In addition to doing your part by having a secure password, it’s also important to control access to your computer. Always lock your computer and require a password to unlock it, even if you only step away for a minute. If you spend a lot of time on public Wi-Fi, you should consider a VPN service that encrypts all of the info sent and sites you visit. Keep your computer up to date with the latest security patches and use a reputable anti-virus. And finally, make sure your kids aren’t visiting sites that could be vulnerable to hackers by using a service like OpenDNS, which limits the sites they can visit.

Thanks for your time, Frank! It’s good to know folks like you are on the case.

You’re welcome. TeamSnap is doing everything we can to safeguard users’ data. Security is something that we are constantly focusing on, and we’re doing everything we can to make sure we always have the latest security patches in place and our infrastructure is secure. We’re asking that users do their part, too, to help protect information with sufficiently strong passwords.